From 2ee694c71298774c3044e19166662e7f871beb2b Mon Sep 17 00:00:00 2001 From: "artem.ivanov" Date: Mon, 11 Nov 2024 20:53:23 +0300 Subject: [PATCH 1/8] Refactored Keeper methods to manage certificates --- x/pki/keeper/approved_root_certificates.go | 7 +- x/pki/keeper/child_certificates.go | 65 +++------ x/pki/keeper/keeper.go | 136 +++++++++++++++--- .../msg_server_add_noc_x_509_ica_cert.go | 37 +---- .../msg_server_add_noc_x_509_root_cert.go | 26 +--- x/pki/keeper/msg_server_add_x_509_cert.go | 31 +--- .../msg_server_approve_add_x_509_root_cert.go | 27 +--- ...g_server_approve_revoke_x_509_root_cert.go | 44 +++--- .../msg_server_remove_noc_x_509_ica_cert.go | 21 +-- .../msg_server_remove_noc_x_509_root_cert.go | 20 +-- x/pki/keeper/msg_server_remove_x_509_cert.go | 17 +-- .../msg_server_revoke_noc_x_509_ica_cert.go | 22 ++- .../msg_server_revoke_noc_x_509_root_cert.go | 46 +++--- x/pki/keeper/msg_server_revoke_x_509_cert.go | 18 +-- 14 files changed, 228 insertions(+), 289 deletions(-) diff --git a/x/pki/keeper/approved_root_certificates.go b/x/pki/keeper/approved_root_certificates.go index 3c911e122..a1dead345 100644 --- a/x/pki/keeper/approved_root_certificates.go +++ b/x/pki/keeper/approved_root_certificates.go @@ -35,9 +35,14 @@ func (k Keeper) RemoveApprovedRootCertificates(ctx sdk.Context) { } // Add root certificate to the list. -func (k Keeper) AddApprovedRootCertificate(ctx sdk.Context, certID types.CertificateIdentifier) { +func (k Keeper) AddApprovedRootCertificate(ctx sdk.Context, certificate types.Certificate) { rootCertificates, _ := k.GetApprovedRootCertificates(ctx) + certID := types.CertificateIdentifier{ + Subject: certificate.Subject, + SubjectKeyId: certificate.SubjectKeyId, + } + // Check if the root cert is already there for _, existingCertID := range rootCertificates.Certs { if *existingCertID == certID { diff --git a/x/pki/keeper/child_certificates.go b/x/pki/keeper/child_certificates.go index aff2055fc..e7e83f27d 100644 --- a/x/pki/keeper/child_certificates.go +++ b/x/pki/keeper/child_certificates.go @@ -68,19 +68,24 @@ func (k Keeper) GetAllChildCertificates(ctx sdk.Context) (list []types.ChildCert } // Add a child certificate to the list of child certificate IDs for the issuer/authorityKeyId map. -func (k Keeper) AddChildCertificate(ctx sdk.Context, issuer string, authorityKeyID string, certID types.CertificateIdentifier) { +func (k Keeper) AddChildCertificate(ctx sdk.Context, certificate types.Certificate) { store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.ChildCertificatesKeyPrefix)) + certID := types.CertificateIdentifier{ + Subject: certificate.Subject, + SubjectKeyId: certificate.SubjectKeyId, + } + childCertificatesBytes := store.Get(types.ChildCertificatesKey( - issuer, - authorityKeyID, + certificate.Issuer, + certificate.AuthorityKeyId, )) var childCertificates types.ChildCertificates if childCertificatesBytes == nil { childCertificates = types.ChildCertificates{ - Issuer: issuer, - AuthorityKeyId: authorityKeyID, + Issuer: certificate.Issuer, + AuthorityKeyId: certificate.AuthorityKeyId, CertIds: []*types.CertificateIdentifier{}, } } else { @@ -97,8 +102,8 @@ func (k Keeper) AddChildCertificate(ctx sdk.Context, issuer string, authorityKey b := k.cdc.MustMarshal(&childCertificates) store.Set(types.ChildCertificatesKey( - issuer, - authorityKeyID, + certificate.Issuer, + certificate.AuthorityKeyId, ), b) } @@ -112,23 +117,11 @@ func (k msgServer) RevokeApprovedChildCertificates(ctx sdk.Context, issuer strin certificates, _ := k.GetApprovedCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) k.AddRevokedCertificates(ctx, types.RevokedCertificates(certificates)) - // Remove certificate from global certificates list - k.RemoveAllCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from global subject -> subject key ID map - k.RemoveAllCertificateBySubject(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from global certificate -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) + // Remove certificate from global list + k.RemoveCertificateFromAllCertificateIndexes(ctx, *certIdentifier) - // Remove certificate from approved certificates list - k.RemoveApprovedCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from subject -> subject key ID map - k.RemoveApprovedCertificateBySubject(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from subject key ID -> certificates map - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) + // Remove certificate from da list + k.RemoveCertificateFromDaCertificateIndexes(ctx, *certIdentifier, false) // Process child certificates recursively k.RevokeApprovedChildCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) @@ -153,29 +146,11 @@ func (k msgServer) RevokeNocChildCertificates(ctx sdk.Context, issuer string, au Certs: certificates.Certs, }) - // Remove certificate from global certificates list - k.RemoveAllCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from global subject -> subject key ID map - k.RemoveAllCertificateBySubject(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // remove from global subject -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // Remove certificate from noc certificates list - k.RemoveNocCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - - // Remove it from NOC ICA certificates list - k.RemoveNocIcaCertificate(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId, certificates.Certs[0].Vid) - - // Remove from vid, subject key ID -> certificates map - k.RemoveNocCertificateByVidSubjectAndSkid(ctx, certificates.Certs[0].Vid, certIdentifier.Subject, certificates.SubjectKeyId) - - // remove from subject -> subject key ID map - k.RemoveNocCertificateBySubject(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) + // Remove certificate from global list + k.RemoveCertificateFromAllCertificateIndexes(ctx, *certIdentifier) - // remove from subject key ID -> certificates map - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) + // Remove certificate from da list + k.RemoveCertificateFromNocCertificateIndexes(ctx, *certIdentifier, certificates.Certs[0].Vid, false) // Process child certificates recursively k.RevokeNocChildCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) diff --git a/x/pki/keeper/keeper.go b/x/pki/keeper/keeper.go index 53439e8b2..817b787da 100644 --- a/x/pki/keeper/keeper.go +++ b/x/pki/keeper/keeper.go @@ -117,17 +117,119 @@ func filterCertificates(certificates *[]*types.Certificate, predicate Certificat return result } -func (k msgServer) removeApprovedX509Cert(ctx sdk.Context, certID types.CertificateIdentifier, certificates *types.ApprovedCertificates, serialNumber string) { +func (k msgServer) AddCertificateToAllCertificateIndexes(ctx sdk.Context, certificate types.Certificate) { + // Add to the global list of certificates + k.AddAllCertificate(ctx, certificate) + + // append to global list of certificates indexed by subject + k.AddAllCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) +} + +func (k msgServer) AddCertificateToDaCertificateIndexes( + ctx sdk.Context, + certificate types.Certificate, + isRoot bool) { + // append new certificate to list of certificates with the same Subject/SubjectKeyID combination and store updated list + k.AddApprovedCertificate(ctx, certificate) + + // add to subject -> subject key ID map + k.AddApprovedCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) + + // add to subject key ID -> certificates map + k.AddApprovedCertificateBySubjectKeyID(ctx, certificate) + + if isRoot { + // add to root certificates index + k.AddApprovedRootCertificate(ctx, certificate) + } else { + // add the certificate identifier to the issuer's Child Certificates record + k.AddChildCertificate(ctx, certificate) + } +} + +func (k msgServer) AddCertificateToNocCertificateIndexes( + ctx sdk.Context, + certificate types.Certificate, + isRoot bool) { + // Add to the list of all NOC certificates + k.AddNocCertificate(ctx, certificate) + + // add to certificates map indexed by { vid, subject key id } + k.AddNocCertificateByVidAndSkid(ctx, certificate) + + // add to certificates map indexed by { subject } + k.AddNocCertificateBySubject(ctx, certificate) + + // add to certificates map indexed by { subject key id } + k.AddNocCertificateBySubjectKeyID(ctx, certificate) + + if isRoot { + // Add to the list of NOC root certificates with the same VID + k.AddNocRootCertificate(ctx, certificate) + } else { + // Add to the list of NOC ica certificates with the same VID + k.AddNocIcaCertificate(ctx, certificate) + // add the certificate identifier to the issuer's Child Certificates record + k.AddChildCertificate(ctx, certificate) + } +} + +func (k msgServer) RemoveCertificateFromAllCertificateIndexes(ctx sdk.Context, certID types.CertificateIdentifier) { + // remove from global certificates map + k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) + // remove from global subject -> subject key ID map + k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) +} + +func (k msgServer) RemoveCertificateFromDaCertificateIndexes( + ctx sdk.Context, + certID types.CertificateIdentifier, + isRoot bool) { + // remove from approved certificates map + k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId) + // remove from subject -> subject key ID map + k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) + // remove from subject key ID -> certificates map + k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) + if isRoot { + k.RemoveApprovedRootCertificate(ctx, certID) + } +} + +func (k msgServer) RemoveCertificateFromNocCertificateIndexes( + ctx sdk.Context, + certID types.CertificateIdentifier, + accountVid int32, + isRoot bool) { + // remove from noc certificates map + k.RemoveNocCertificates(ctx, certID.Subject, certID.SubjectKeyId) + // remove from vid, subject key id map + k.RemoveNocCertificatesByVidAndSkid(ctx, accountVid, certID.SubjectKeyId) + // remove from subject -> subject key ID map + k.RemoveNocCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) + // remove from subject key ID -> certificates map + k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) + if isRoot { + // remove from noc root certificates map + k.RemoveNocRootCertificate(ctx, certID.Subject, certID.SubjectKeyId, accountVid) + } else { + // remove from noc ica certificates map + k.RemoveNocIcaCertificate(ctx, certID.Subject, certID.SubjectKeyId, accountVid) + } +} + +func (k msgServer) removeDaX509Cert( + ctx sdk.Context, + certID types.CertificateIdentifier, + certificates *types.ApprovedCertificates, + serialNumber string) { if len(certificates.Certs) == 0 { - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) + // remove from global certificates map + k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) + // remove from noc certificates map + k.RemoveCertificateFromDaCertificateIndexes(ctx, certID, false) } else { k.RemoveAllCertificatesBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) k.RemoveApprovedCertificatesBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) k.RemoveApprovedCertificatesBySubjectKeyIDBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) } @@ -142,22 +244,12 @@ func (k msgServer) removeNocX509Cert( isRoot bool, ) { if len(certificates.Certs) == 0 { //nolint:nestif - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveNocCertificates(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveNocCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - k.RemoveNocCertificatesByVidAndSkid(ctx, accountVid, certID.SubjectKeyId) - - if isRoot { - k.RemoveNocRootCertificate(ctx, certID.Subject, certID.SubjectKeyId, accountVid) - } else { - k.RemoveNocIcaCertificate(ctx, certID.Subject, certID.SubjectKeyId, accountVid) - } + // remove from global certificates map + k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) + // remove from noc certificates map + k.RemoveCertificateFromNocCertificateIndexes(ctx, certID, accountVid, isRoot) } else { k.RemoveAllCertificatesBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) k.RemoveNocCertificatesBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) k.RemoveNocCertificatesBySubjectKeyIDBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) k.RemoveNocCertificatesByVidAndSkidBySerialNumber(ctx, accountVid, certID.Subject, certID.SubjectKeyId, serialNumber) diff --git a/x/pki/keeper/msg_server_add_noc_x_509_ica_cert.go b/x/pki/keeper/msg_server_add_noc_x_509_ica_cert.go index c4fcf3dc7..95db2526e 100644 --- a/x/pki/keeper/msg_server_add_noc_x_509_ica_cert.go +++ b/x/pki/keeper/msg_server_add_noc_x_509_ica_cert.go @@ -103,37 +103,6 @@ func (k msgServer) AddNocX509IcaCert(goCtx context.Context, msg *types.MsgAddNoc msg.CertSchemaVersion, ) - // Add to the global list of certificates - k.AddAllCertificate(ctx, certificate) - - // append to global list of certificates indexed by subject - k.AddAllCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) - - // add to global list of certificates indexed by skid - k.AddAllCertificateBySubjectKeyID(ctx, certificate) - - // Add to the list of all NOC certificates - k.AddNocCertificate(ctx, certificate) - - // Add to the list of NOC ica certificates with the same VID - k.AddNocIcaCertificate(ctx, certificate) - - // add to certificates map indexed by { vid, subject key id } - k.AddNocCertificateByVidAndSkid(ctx, certificate) - - // add to certificates map indexed by { subject } - k.AddNocCertificateBySubject(ctx, certificate) - - // add to certificates map indexed by { subject key id } - k.AddNocCertificateBySubjectKeyID(ctx, certificate) - - // add the certificate identifier to the issuer's Child Certificates record - certificateIdentifier := types.CertificateIdentifier{ - Subject: certificate.Subject, - SubjectKeyId: certificate.SubjectKeyId, - } - k.AddChildCertificate(ctx, certificate.Issuer, certificate.AuthorityKeyId, certificateIdentifier) - // register the unique certificate key uniqueCertificate := types.UniqueCertificate{ Issuer: x509Certificate.Issuer, @@ -142,5 +111,11 @@ func (k msgServer) AddNocX509IcaCert(goCtx context.Context, msg *types.MsgAddNoc } k.SetUniqueCertificate(ctx, uniqueCertificate) + // Add to the indexes for global certificates list + k.AddCertificateToAllCertificateIndexes(ctx, certificate) + + // Add to the indexes for noc certificates list + k.AddCertificateToNocCertificateIndexes(ctx, certificate, false) + return &types.MsgAddNocX509IcaCertResponse{}, nil } diff --git a/x/pki/keeper/msg_server_add_noc_x_509_root_cert.go b/x/pki/keeper/msg_server_add_noc_x_509_root_cert.go index 0f22ab2f0..2703f6559 100644 --- a/x/pki/keeper/msg_server_add_noc_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_add_noc_x_509_root_cert.go @@ -84,21 +84,6 @@ func (k msgServer) AddNocX509RootCert(goCtx context.Context, msg *types.MsgAddNo msg.CertSchemaVersion, ) - // Add to the global list of certificates - k.AddAllCertificate(ctx, certificate) - - // append to global list of certificates indexed by subject - k.AddAllCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) - - // add to global list of certificates indexed by skid - k.AddAllCertificateBySubjectKeyID(ctx, certificate) - - // Add to the list of all NOC certificates - k.AddNocCertificate(ctx, certificate) - - // Add to the list of NOC root certificates with the same VID - k.AddNocRootCertificate(ctx, certificate) - // register the unique certificate key uniqueCertificate := types.UniqueCertificate{ Issuer: x509Certificate.Issuer, @@ -107,14 +92,11 @@ func (k msgServer) AddNocX509RootCert(goCtx context.Context, msg *types.MsgAddNo } k.SetUniqueCertificate(ctx, uniqueCertificate) - // add to certificates map indexed by { vid, subject key id } - k.AddNocCertificateByVidAndSkid(ctx, certificate) - - // add to certificates map indexed by { subject } - k.AddNocCertificateBySubject(ctx, certificate) + // Add to the indexes for global certificates list + k.AddCertificateToAllCertificateIndexes(ctx, certificate) - // add to certificates map indexed by { subject key id } - k.AddNocCertificateBySubjectKeyID(ctx, certificate) + // Add to the indexes for noc certificates list + k.AddCertificateToNocCertificateIndexes(ctx, certificate, true) return &types.MsgAddNocX509RootCertResponse{}, nil } diff --git a/x/pki/keeper/msg_server_add_x_509_cert.go b/x/pki/keeper/msg_server_add_x_509_cert.go index 816f446d1..f61ebc167 100644 --- a/x/pki/keeper/msg_server_add_x_509_cert.go +++ b/x/pki/keeper/msg_server_add_x_509_cert.go @@ -107,31 +107,6 @@ func (k msgServer) AddX509Cert(goCtx context.Context, msg *types.MsgAddX509Cert) msg.CertSchemaVersion, ) - // append to global list of certificates - k.AddAllCertificate(ctx, certificate) - - // append to global list of certificates indexed by subject - k.AddAllCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) - - // add to global list of certificates indexed by skid - k.AddAllCertificateBySubjectKeyID(ctx, certificate) - - // append new certificate to list of certificates with the same Subject/SubjectKeyID combination and store updated list - k.AddApprovedCertificate(ctx, certificate) - - // add to subject -> subject key ID map - k.AddApprovedCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) - - // add to subject key ID -> certificates map - k.AddApprovedCertificateBySubjectKeyID(ctx, certificate) - - // add the certificate identifier to the issuer's Child Certificates record - certificateIdentifier := types.CertificateIdentifier{ - Subject: certificate.Subject, - SubjectKeyId: certificate.SubjectKeyId, - } - k.AddChildCertificate(ctx, certificate.Issuer, certificate.AuthorityKeyId, certificateIdentifier) - // register the unique certificate key uniqueCertificate := types.UniqueCertificate{ Issuer: x509Certificate.Issuer, @@ -140,6 +115,12 @@ func (k msgServer) AddX509Cert(goCtx context.Context, msg *types.MsgAddX509Cert) } k.SetUniqueCertificate(ctx, uniqueCertificate) + // Add to the indexes for global certificates list + k.AddCertificateToAllCertificateIndexes(ctx, certificate) + + // Add to the indexes for DA certificates list + k.AddCertificateToDaCertificateIndexes(ctx, certificate, false) + return &types.MsgAddX509CertResponse{}, nil } diff --git a/x/pki/keeper/msg_server_approve_add_x_509_root_cert.go b/x/pki/keeper/msg_server_approve_add_x_509_root_cert.go index 757891504..c38cbe24f 100644 --- a/x/pki/keeper/msg_server_approve_add_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_approve_add_x_509_root_cert.go @@ -79,30 +79,11 @@ func (k msgServer) ApproveAddX509RootCert(goCtx context.Context, msg *types.MsgA // delete proposed certificate k.RemoveProposedCertificate(ctx, msg.Subject, msg.SubjectKeyId) - // add approved certificate to stored list of all certificates - k.AddAllCertificate(ctx, rootCertificate) + // Add to the indexes for global certificates list + k.AddCertificateToAllCertificateIndexes(ctx, rootCertificate) - // append to global list of certificates indexed by subject - k.AddAllCertificateBySubject(ctx, rootCertificate.Subject, rootCertificate.SubjectKeyId) - - // add to global list of certificates indexed by skid - k.AddAllCertificateBySubjectKeyID(ctx, rootCertificate) - - // add approved certificate to stored list of certificates with the same Subject/SubjectKeyID combination - k.AddApprovedCertificate(ctx, rootCertificate) - - // add to root certificates index - certID := types.CertificateIdentifier{ - Subject: rootCertificate.Subject, - SubjectKeyId: rootCertificate.SubjectKeyId, - } - k.AddApprovedRootCertificate(ctx, certID) - - // add to subject -> subject key ID map - k.AddApprovedCertificateBySubject(ctx, rootCertificate.Subject, rootCertificate.SubjectKeyId) - - // add to subject key ID -> certificates map - k.AddApprovedCertificateBySubjectKeyID(ctx, rootCertificate) + // Add to the indexes for DA certificates list + k.AddCertificateToDaCertificateIndexes(ctx, rootCertificate, true) } else { // update proposed certificate k.SetProposedCertificate(ctx, proposedCertificate) diff --git a/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go b/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go index e02a221a3..28ae6a7ac 100644 --- a/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go @@ -65,7 +65,7 @@ func (k msgServer) ApproveRevokeX509RootCert(goCtx context.Context, msg *types.M k.RemoveProposedCertificateRevocation(ctx, msg.Subject, msg.SubjectKeyId, msg.SerialNumber) if msg.SerialNumber != "" { - k._revokeRootCertificate(ctx, revocation.Approvals, msg.SerialNumber, certificates, revocation.SchemaVersion) + k._revokeRootCertificateBySerialNumber(ctx, revocation.Approvals, msg.SerialNumber, certificates, revocation.SchemaVersion) } else { k._revokeRootCertificates(ctx, revocation.Approvals, certificates, revocation.SchemaVersion) } @@ -100,17 +100,14 @@ func (k msgServer) _revokeRootCertificates( // remove from root certs index, add to revoked root certs k.AddRevokedCertificates(ctx, types.RevokedCertificates(certificates)) - k.RemoveApprovedRootCertificate(ctx, certID) - k.RemoveAllCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveApprovedCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove from subject -> subject key ID map - k.RemoveApprovedCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) + // Remove certificate from global list + k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) + + // Remove certificate from da list + k.RemoveCertificateFromDaCertificateIndexes(ctx, certID, true) } -func (k msgServer) _revokeRootCertificate( + +func (k msgServer) _revokeRootCertificateBySerialNumber( ctx sdk.Context, approvals []*types.Grant, serialNumber string, @@ -125,27 +122,26 @@ func (k msgServer) _revokeRootCertificate( Certs: []*types.Certificate{cert}, SchemaVersion: cert.SchemaVersion, } + + // remove from root certs index, add to revoked root certs k.AddRevokedCertificates(ctx, revCert) removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates.Certs) if len(certificates.Certs) == 0 { - k.RemoveAllCertificates(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveApprovedCertificates(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveApprovedRootCertificate(ctx, - types.CertificateIdentifier{ - Subject: certificates.Subject, - SubjectKeyId: certificates.SubjectKeyId, - }, - ) - k.RemoveApprovedCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) + certID := types.CertificateIdentifier{ + Subject: certificates.Subject, + SubjectKeyId: certificates.SubjectKeyId, + } + + // Remove certificate from global list + k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) + + // Remove certificate from da list + k.RemoveCertificateFromDaCertificateIndexes(ctx, certID, true) } else { k.SetApprovedCertificates(ctx, certificates) k.RemoveAllCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) k.RemoveApprovedCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) } } diff --git a/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go b/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go index 9a5b0ad47..2ab767662 100644 --- a/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go +++ b/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go @@ -76,27 +76,16 @@ func (k msgServer) RemoveNocX509IcaCert(goCtx context.Context, msg *types.MsgRem if foundRevoked { removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) - k._removeRevokedNocX509IcaCert(ctx, certID, &revCerts) + k.removeRevokedNocX509IcaCert(ctx, certID, &revCerts) } } else { // remove from global certificates map - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global subject -> subject map - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global certificates -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) + k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) // remove from noc certificates map - k.RemoveNocCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from noc ica certificates map - k.RemoveNocIcaCertificate(ctx, certID.Subject, certID.SubjectKeyId, accountVid) - // remove from vid, subject key id map - k.RemoveNocCertificatesByVidAndSkid(ctx, accountVid, certID.SubjectKeyId) - // remove from subject -> subject key ID map - k.RemoveNocCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) + k.RemoveCertificateFromNocCertificateIndexes(ctx, certID, accountVid, false) // remove from revoked list k.RemoveRevokedNocIcaCertificates(ctx, certID.Subject, certID.SubjectKeyId) + // remove from subject with serialNumber map for _, cert := range certificates { k.RemoveUniqueCertificate(ctx, cert.Issuer, cert.SerialNumber) @@ -106,7 +95,7 @@ func (k msgServer) RemoveNocX509IcaCert(goCtx context.Context, msg *types.MsgRem return &types.MsgRemoveNocX509IcaCertResponse{}, nil } -func (k msgServer) _removeRevokedNocX509IcaCert(ctx sdk.Context, certID types.CertificateIdentifier, certificates *types.RevokedNocIcaCertificates) { +func (k msgServer) removeRevokedNocX509IcaCert(ctx sdk.Context, certID types.CertificateIdentifier, certificates *types.RevokedNocIcaCertificates) { if len(certificates.Certs) == 0 { k.RemoveRevokedNocIcaCertificates(ctx, certID.Subject, certID.SubjectKeyId) } else { diff --git a/x/pki/keeper/msg_server_remove_noc_x_509_root_cert.go b/x/pki/keeper/msg_server_remove_noc_x_509_root_cert.go index c14313a05..8972cafa6 100644 --- a/x/pki/keeper/msg_server_remove_noc_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_remove_noc_x_509_root_cert.go @@ -72,25 +72,13 @@ func (k msgServer) RemoveNocX509RootCert(goCtx context.Context, msg *types.MsgRe if foundRevoked { removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) - k._removeRevokedNocX509RootCert(ctx, certID, &revCerts) + k.removeRevokedNocX509RootCert(ctx, certID, &revCerts) } } else { // remove from global certificates map - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global subject -> subject key ID map - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global subject -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) + k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) // remove from noc certificates map - k.RemoveNocCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from noc root certificates map - k.RemoveNocRootCertificate(ctx, certID.Subject, certID.SubjectKeyId, accountVid) - // remove from vid, subject key id map - k.RemoveNocCertificatesByVidAndSkid(ctx, accountVid, certID.SubjectKeyId) - // remove from subject -> subject key ID map - k.RemoveNocCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) + k.RemoveCertificateFromNocCertificateIndexes(ctx, certID, accountVid, true) // remove from revoked noc root certs k.RemoveRevokedNocRootCertificates(ctx, certID.Subject, certID.SubjectKeyId) // remove from subject with serialNumber map @@ -102,7 +90,7 @@ func (k msgServer) RemoveNocX509RootCert(goCtx context.Context, msg *types.MsgRe return &types.MsgRemoveNocX509RootCertResponse{}, nil } -func (k msgServer) _removeRevokedNocX509RootCert(ctx sdk.Context, certID types.CertificateIdentifier, certificates *types.RevokedNocRootCertificates) { +func (k msgServer) removeRevokedNocX509RootCert(ctx sdk.Context, certID types.CertificateIdentifier, certificates *types.RevokedNocRootCertificates) { if len(certificates.Certs) == 0 { k.RemoveRevokedNocRootCertificates(ctx, certID.Subject, certID.SubjectKeyId) } else { diff --git a/x/pki/keeper/msg_server_remove_x_509_cert.go b/x/pki/keeper/msg_server_remove_x_509_cert.go index 7f8269477..5152cc25b 100644 --- a/x/pki/keeper/msg_server_remove_x_509_cert.go +++ b/x/pki/keeper/msg_server_remove_x_509_cert.go @@ -60,7 +60,7 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50 if foundApproved { removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &aprCerts.Certs) - k.removeApprovedX509Cert(ctx, certID, &aprCerts, msg.SerialNumber) + k.removeDaX509Cert(ctx, certID, &aprCerts, msg.SerialNumber) } if foundRevoked { removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) @@ -68,19 +68,12 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50 } } else { // remove from global certificates map - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global subject -> subject map - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global subject -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - // remove from approved certificates map - k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject -> subject key ID map - k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) + k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) + // remove from noc certificates map + k.RemoveCertificateFromDaCertificateIndexes(ctx, certID, false) // remove from revoked list k.RemoveRevokedCertificates(ctx, certID.Subject, certID.SubjectKeyId) + // remove from subject with serialNumber map for _, cert := range certificates { k.RemoveUniqueCertificate(ctx, cert.Issuer, cert.SerialNumber) diff --git a/x/pki/keeper/msg_server_revoke_noc_x_509_ica_cert.go b/x/pki/keeper/msg_server_revoke_noc_x_509_ica_cert.go index add76ed31..00ae009a2 100644 --- a/x/pki/keeper/msg_server_revoke_noc_x_509_ica_cert.go +++ b/x/pki/keeper/msg_server_revoke_noc_x_509_ica_cert.go @@ -82,18 +82,18 @@ func (k msgServer) _revokeNocCertificate( removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates.Certs) + certID := types.CertificateIdentifier{ + Subject: certificates.Subject, + SubjectKeyId: certificates.SubjectKeyId, + } + if len(certificates.Certs) == 0 { - k.RemoveAllCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveNocCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveNocIcaCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, vid) - k.RemoveNocCertificatesByVidAndSkid(ctx, vid, cert.SubjectKeyId) - k.RemoveNocCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) + // Remove certificate from global list + k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) + // Remove certificate from noc list + k.RemoveCertificateFromNocCertificateIndexes(ctx, certID, vid, false) } else { k.RemoveAllCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) k.RemoveNocCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) k.RemoveNocIcaCertificateBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, vid, serialNumber) k.RemoveNocCertificatesByVidAndSkidBySerialNumber(ctx, vid, cert.Subject, cert.SubjectKeyId, serialNumber) @@ -112,10 +112,8 @@ func (k msgServer) _revokeNocIcaCertificates(ctx sdk.Context, certificates types }) // remove cert from global certs list k.RemoveAllCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from global certs list -> subject map - k.RemoveAllCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) // remove cert from global certs list -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) + k.RemoveAllCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) // remove cert from NOC certs list k.RemoveNocCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) // remove cert from NOC ica certs list diff --git a/x/pki/keeper/msg_server_revoke_noc_x_509_root_cert.go b/x/pki/keeper/msg_server_revoke_noc_x_509_root_cert.go index 043f4d65b..5495840e8 100644 --- a/x/pki/keeper/msg_server_revoke_noc_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_revoke_noc_x_509_root_cert.go @@ -45,7 +45,7 @@ func (k msgServer) RevokeNocX509RootCert(goCtx context.Context, msg *types.MsgRe } if msg.SerialNumber != "" { - err = k._revokeNocRootCertificate(ctx, msg.SerialNumber, certificates, cert.Vid) + err = k._revokeNocRootCertificateBySerialNumber(ctx, msg.SerialNumber, certificates, cert.Vid) if err != nil { return nil, err } @@ -65,7 +65,7 @@ func (k msgServer) RevokeNocX509RootCert(goCtx context.Context, msg *types.MsgRe return &types.MsgRevokeNocX509RootCertResponse{}, nil } -func (k msgServer) _revokeNocRootCertificate( +func (k msgServer) _revokeNocRootCertificateBySerialNumber( ctx sdk.Context, serialNumber string, certificates types.NocCertificates, @@ -87,18 +87,18 @@ func (k msgServer) _revokeNocRootCertificate( removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates.Certs) + certID := types.CertificateIdentifier{ + Subject: cert.Subject, + SubjectKeyId: cert.SubjectKeyId, + } + if len(certificates.Certs) == 0 { - k.RemoveAllCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveNocCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - k.RemoveNocRootCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, vid) - k.RemoveNocCertificatesByVidAndSkid(ctx, vid, cert.SubjectKeyId) - k.RemoveNocCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) + // Remove certificate from global list + k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) + // Remove certificate from noc list + k.RemoveCertificateFromNocCertificateIndexes(ctx, certID, vid, true) } else { k.RemoveAllCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) k.RemoveNocCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) k.RemoveNocRootCertificateBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, vid, serialNumber) k.RemoveNocCertificatesByVidAndSkidBySerialNumber(ctx, vid, cert.Subject, cert.SubjectKeyId, serialNumber) @@ -116,20 +116,12 @@ func (k msgServer) _revokeNocRootCertificates(ctx sdk.Context, certificates type Certs: certificates.Certs, }) - // remove cert from global certs list - k.RemoveAllCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from global certs list -> subject map - k.RemoveAllCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from global certs list -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from NOC certs list - k.RemoveNocCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from NOC ica certs list - k.RemoveNocRootCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, vid) - // remove from subject -> subject key ID map - k.RemoveNocCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove from vid, subject key ID -> certificates map - k.RemoveNocCertificateByVidSubjectAndSkid(ctx, vid, certificates.Subject, certificates.SubjectKeyId) + certID := types.CertificateIdentifier{ + Subject: certificates.Subject, + SubjectKeyId: certificates.SubjectKeyId, + } + // Remove certificate from global list + k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) + // Remove certificate from noc list + k.RemoveCertificateFromNocCertificateIndexes(ctx, certID, vid, true) } diff --git a/x/pki/keeper/msg_server_revoke_x_509_cert.go b/x/pki/keeper/msg_server_revoke_x_509_cert.go index 614b3f3ea..219e4f115 100644 --- a/x/pki/keeper/msg_server_revoke_x_509_cert.go +++ b/x/pki/keeper/msg_server_revoke_x_509_cert.go @@ -64,19 +64,13 @@ func (k msgServer) _revokeX509Certificates(ctx sdk.Context, certID types.Certifi k.AddRevokedCertificates(ctx, types.RevokedCertificates(certificates)) // Remove certificate from global list - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // Remove certificate from global list -> subject map - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // Remove certificate from global list -> subject key ID map - k.RemoveAllCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - // Remove certificate from approved list - k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId) + k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) + + // Remove certificate from da list + k.RemoveCertificateFromDaCertificateIndexes(ctx, certID, false) + // Remove certificate identifier from issuer's ChildCertificates record k.RemoveChildCertificate(ctx, certificates.Certs[0].Issuer, certificates.Certs[0].AuthorityKeyId, certID) - // remove from subject -> subject key ID map - k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) } func (k msgServer) _revokeX509Certificate(ctx sdk.Context, cert *types.Certificate, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) { @@ -92,14 +86,12 @@ func (k msgServer) _revokeX509Certificate(ctx sdk.Context, cert *types.Certifica if len(certificates.Certs) == 0 { k.RemoveAllCertificates(ctx, cert.Subject, cert.SubjectKeyId) k.RemoveAllCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveAllCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) k.RemoveApprovedCertificates(ctx, cert.Subject, cert.SubjectKeyId) k.RemoveApprovedCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) k.RemoveApprovedCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) k.RemoveChildCertificate(ctx, cert.Issuer, cert.AuthorityKeyId, certID) } else { k.RemoveAllCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, cert.SerialNumber) - k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, cert.SerialNumber) k.RemoveApprovedCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, cert.SerialNumber) k.RemoveApprovedCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, cert.SerialNumber) } From 058bfb2ec149a108675d52a194b0d0ac13a45f77 Mon Sep 17 00:00:00 2001 From: "artem.ivanov" Date: Wed, 20 Nov 2024 12:38:15 +0300 Subject: [PATCH 2/8] Refactored PKI module --- x/pki/keeper/approved_root_certificates.go | 11 +- x/pki/keeper/certificate_helpers.go | 257 ++++++++++++++++++ x/pki/keeper/child_certificates.go | 28 +- x/pki/keeper/keeper.go | 221 +-------------- .../msg_server_add_noc_x_509_ica_cert.go | 14 +- .../msg_server_add_noc_x_509_root_cert.go | 14 +- x/pki/keeper/msg_server_add_x_509_cert.go | 14 +- .../msg_server_approve_add_x_509_root_cert.go | 7 +- ...g_server_approve_revoke_x_509_root_cert.go | 60 ++-- .../msg_server_propose_add_x_509_root_cert.go | 7 +- ...g_server_propose_revoke_x_509_root_cert.go | 2 +- .../msg_server_remove_noc_x_509_ica_cert.go | 23 +- .../msg_server_remove_noc_x_509_root_cert.go | 22 +- x/pki/keeper/msg_server_remove_x_509_cert.go | 48 ++-- .../msg_server_revoke_noc_x_509_ica_cert.go | 67 ++--- .../msg_server_revoke_noc_x_509_root_cert.go | 59 ++-- x/pki/keeper/msg_server_revoke_x_509_cert.go | 61 +++-- .../noc_certificates_by_vid_and_skid.go | 2 +- x/pki/keeper/revoked_certificates.go | 8 +- x/pki/keeper/unique_certificate.go | 11 + 20 files changed, 470 insertions(+), 466 deletions(-) create mode 100644 x/pki/keeper/certificate_helpers.go diff --git a/x/pki/keeper/approved_root_certificates.go b/x/pki/keeper/approved_root_certificates.go index a1dead345..ec5ab5f74 100644 --- a/x/pki/keeper/approved_root_certificates.go +++ b/x/pki/keeper/approved_root_certificates.go @@ -56,7 +56,16 @@ func (k Keeper) AddApprovedRootCertificate(ctx sdk.Context, certificate types.Ce } // Remove root certificate from the list. -func (k Keeper) RemoveApprovedRootCertificate(ctx sdk.Context, certID types.CertificateIdentifier) { +func (k Keeper) RemoveApprovedRootCertificate( + ctx sdk.Context, + subject string, + subjectKeyID string, +) { + certID := types.CertificateIdentifier{ + Subject: subject, + SubjectKeyId: subjectKeyID, + } + rootCertificates, _ := k.GetApprovedRootCertificates(ctx) certIDIndex := -1 diff --git a/x/pki/keeper/certificate_helpers.go b/x/pki/keeper/certificate_helpers.go new file mode 100644 index 000000000..ea56b0d3c --- /dev/null +++ b/x/pki/keeper/certificate_helpers.go @@ -0,0 +1,257 @@ +package keeper + +import ( + "math" + + sdk "github.com/cosmos/cosmos-sdk/types" + pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" + authTypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" +) + +func (k Keeper) CertificateApprovalsCount(ctx sdk.Context, authKeeper types.DclauthKeeper) int { + return int(math.Ceil(types.RootCertificateApprovalsPercent * + float64(authKeeper.CountAccountsWithRole(ctx, authTypes.Trustee)))) +} + +func (k Keeper) CertificateRejectApprovalsCount(ctx sdk.Context, authKeeper types.DclauthKeeper) int { + return authKeeper.CountAccountsWithRole(ctx, authTypes.Trustee) - k.CertificateApprovalsCount(ctx, authKeeper) + 1 +} + +func (k Keeper) EnsureVidMatches(ctx sdk.Context, owner string, signer string) error { + // get signer VID + signerAddr, err := sdk.AccAddressFromBech32(signer) + if err != nil { + return pkitypes.NewErrInvalidAddress(err) + } + + signerAccount, _ := k.dclauthKeeper.GetAccountO(ctx, signerAddr) + signerVid := signerAccount.VendorID + + // get owner VID + ownerAddr, err := sdk.AccAddressFromBech32(owner) + if err != nil { + return pkitypes.NewErrInvalidAddress(err) + } + + ownerAccount, _ := k.dclauthKeeper.GetAccountO(ctx, ownerAddr) + ownerVid := ownerAccount.VendorID + + if signerVid != ownerVid { + return pkitypes.NewErrUnauthorizedCertVendor(ownerVid) + } + + return nil +} + +func RemoveCertFromList(issuer string, serialNumber string, certs *[]*types.Certificate) { + certIndex := -1 + + for i, cert := range *certs { + if cert.SerialNumber == serialNumber && cert.Issuer == issuer { + certIndex = i + + break + } + } + if certIndex == -1 { + return + } + *certs = append((*certs)[:certIndex], (*certs)[certIndex+1:]...) +} + +func FindCertificateInList(serialNumber string, certificates *[]*types.Certificate) (*types.Certificate, bool) { + for _, cert := range *certificates { + if cert.SerialNumber == serialNumber { + return cert, true + } + } + + return nil, false +} + +func FilterCertificateList(certificates *[]*types.Certificate, predicate CertificatePredicate) []*types.Certificate { + var result []*types.Certificate + + for _, s := range *certificates { + if predicate(s) { + result = append(result, s) + } + } + + return result +} + +func (k msgServer) AddCertificateToGlobalCertificateIndexes( + ctx sdk.Context, + certificate types.Certificate, +) { + // add to the global list of certificates + k.AddAllCertificate(ctx, certificate) + // add to the global list of certificates indexed by subject key id + k.AddAllCertificateBySubjectKeyID(ctx, certificate) + // add to the global list of certificates indexed by subject + k.AddAllCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) +} + +func (k msgServer) RemoveCertificateFromGlobalCertificateIndexes( + ctx sdk.Context, + subject string, + subjectKeyID string, +) { + // remove from the global list of certificates + k.RemoveAllCertificates(ctx, subject, subjectKeyID) + // remove from the global list of certificates indexed by subject key id + k.RemoveAllCertificatesBySubjectKeyID(ctx, subject, subjectKeyID) + // remove from the global list of certificates indexed by subject + k.RemoveAllCertificateBySubject(ctx, subject, subjectKeyID) +} + +func (k msgServer) StoreDaCertificate( + ctx sdk.Context, + certificate types.Certificate, + isRoot bool, +) { + // add to Global certificates indexes + k.AddCertificateToGlobalCertificateIndexes(ctx, certificate) + + // add to list of certificates with the same Subject/SubjectKeyID combination and store updated list + k.AddApprovedCertificate(ctx, certificate) + + // add to list of certificates indexed by subject + k.AddApprovedCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) + + // add to list of certificates indexed by subject key id + k.AddApprovedCertificateBySubjectKeyID(ctx, certificate) + + if isRoot { + // add to root certificates index + k.AddApprovedRootCertificate(ctx, certificate) + } else { + // add the certificate identifier to the issuer's Child Certificates record + k.AddChildCertificate(ctx, certificate) + } +} + +func (k msgServer) RemoveDaCertificate( + ctx sdk.Context, + subject string, + subjectKeyID string, + isRoot bool, +) { + // remove from global list + k.RemoveCertificateFromGlobalCertificateIndexes(ctx, subject, subjectKeyID) + // remove from approved certificates map + k.RemoveApprovedCertificates(ctx, subject, subjectKeyID) + // remove from subject -> subject key ID map + k.RemoveApprovedCertificateBySubject(ctx, subject, subjectKeyID) + // remove from subject key ID -> certificates map + k.RemoveApprovedCertificatesBySubjectKeyID(ctx, subject, subjectKeyID) + if isRoot { + k.RemoveApprovedRootCertificate(ctx, subject, subjectKeyID) + } +} + +func (k msgServer) RemoveDaCertificateBySerialNumber( + ctx sdk.Context, + subject string, + subjectKeyID string, + certificates *types.ApprovedCertificates, + serialNumber string, + issuer string, +) { + RemoveCertFromList(issuer, serialNumber, &certificates.Certs) + + if len(certificates.Certs) == 0 { + k.RemoveDaCertificate(ctx, subject, subjectKeyID, false) + } else { + k.RemoveAllCertificatesBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveApprovedCertificatesBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveApprovedCertificatesBySubjectKeyIDBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + } +} + +func (k msgServer) StoreNocCertificate( + ctx sdk.Context, + certificate types.Certificate, + isRoot bool) { + // add to Global certificates indexes + k.AddCertificateToGlobalCertificateIndexes(ctx, certificate) + + // add to the list of all NOC certificates + k.AddNocCertificate(ctx, certificate) + + // add to certificates map indexed by vid/skid + k.AddNocCertificateByVidAndSkid(ctx, certificate) + + // add to certificates map indexed by subject + k.AddNocCertificateBySubject(ctx, certificate) + + // add to certificates map indexed by subject key id + k.AddNocCertificateBySubjectKeyID(ctx, certificate) + + if isRoot { + // add to the list of NOC root certificates with the same VID + k.AddNocRootCertificate(ctx, certificate) + } else { + // add to the list of NOC ica certificates with the same VID + k.AddNocIcaCertificate(ctx, certificate) + // add the certificate identifier to the issuer's Child Certificates record + k.AddChildCertificate(ctx, certificate) + } +} + +func (k msgServer) RemoveNocCertificate( + ctx sdk.Context, + subject string, + subjectKeyID string, + accountVid int32, + isRoot bool, +) { + // remove from global list + k.RemoveCertificateFromGlobalCertificateIndexes(ctx, subject, subjectKeyID) + // remove from noc certificates map + k.RemoveNocCertificates(ctx, subject, subjectKeyID) + // remove from vid, subject key id map + k.RemoveNocCertificatesByVidAndSkid(ctx, accountVid, subjectKeyID) + // remove from subject -> subject key ID map + k.RemoveNocCertificateBySubject(ctx, subject, subjectKeyID) + // remove from subject key ID -> certificates map + k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, subject, subjectKeyID) + if isRoot { + // remove from noc root certificates map + k.RemoveNocRootCertificate(ctx, subject, subjectKeyID, accountVid) + } else { + // remove from noc ica certificates map + k.RemoveNocIcaCertificate(ctx, subject, subjectKeyID, accountVid) + } +} + +func (k msgServer) RemoveNocCertBySerialNumber( + ctx sdk.Context, + subject string, + subjectKeyID string, + certificates *types.NocCertificates, + accountVid int32, + serialNumber string, + issuer string, + isRoot bool, +) { + RemoveCertFromList(issuer, serialNumber, &certificates.Certs) + + if len(certificates.Certs) == 0 { + k.RemoveNocCertificate(ctx, subject, subjectKeyID, accountVid, isRoot) + } else { + k.RemoveAllCertificatesBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveNocCertificatesBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveNocCertificatesBySubjectKeyIDBySerialNumber(ctx, subject, subjectKeyID, serialNumber) + k.RemoveNocCertificatesByVidAndSkidBySerialNumber(ctx, accountVid, subject, subjectKeyID, serialNumber) + if isRoot { + k.RemoveNocRootCertificateBySerialNumber(ctx, subject, subjectKeyID, accountVid, serialNumber) + } else { + k.RemoveNocIcaCertificateBySerialNumber(ctx, subject, subjectKeyID, accountVid, serialNumber) + } + } +} diff --git a/x/pki/keeper/child_certificates.go b/x/pki/keeper/child_certificates.go index e7e83f27d..1ba16ce2e 100644 --- a/x/pki/keeper/child_certificates.go +++ b/x/pki/keeper/child_certificates.go @@ -113,18 +113,13 @@ func (k msgServer) RevokeApprovedChildCertificates(ctx sdk.Context, issuer strin // For each child certificate subject/subjectKeyID combination for _, certIdentifier := range childCertificates.CertIds { - // Revoke certificates with this subject/subjectKeyID combination + // Add revoked certificates with this subject/subjectKeyID combination certificates, _ := k.GetApprovedCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) k.AddRevokedCertificates(ctx, types.RevokedCertificates(certificates)) - - // Remove certificate from global list - k.RemoveCertificateFromAllCertificateIndexes(ctx, *certIdentifier) - // Remove certificate from da list - k.RemoveCertificateFromDaCertificateIndexes(ctx, *certIdentifier, false) - + k.RemoveDaCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, false) // Process child certificates recursively - k.RevokeApprovedChildCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) + k.RevokeApprovedChildCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) } // Delete entire ChildCertificates record of issuer @@ -137,30 +132,27 @@ func (k msgServer) RevokeNocChildCertificates(ctx sdk.Context, issuer string, au // For each child certificate subject/subjectKeyID combination for _, certIdentifier := range childCertificates.CertIds { - // Revoke certificates with this subject/subjectKeyID combination + // Add revoked certificates with this subject/subjectKeyID combination certificates, _ := k.GetNocCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) - k.AddRevokedNocIcaCertificates(ctx, types.RevokedNocIcaCertificates{ Subject: certificates.Subject, SubjectKeyId: certificates.SubjectKeyId, Certs: certificates.Certs, }) - - // Remove certificate from global list - k.RemoveCertificateFromAllCertificateIndexes(ctx, *certIdentifier) - // Remove certificate from da list - k.RemoveCertificateFromNocCertificateIndexes(ctx, *certIdentifier, certificates.Certs[0].Vid, false) - + k.RemoveNocCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, certificates.Certs[0].Vid, false) // Process child certificates recursively - k.RevokeNocChildCertificates(ctx, certIdentifier.Subject, certIdentifier.SubjectKeyId) + k.RevokeNocChildCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) } // Delete entire ChildCertificates record of issuer k.RemoveChildCertificates(ctx, issuer, authorityKeyID) } -func (k msgServer) RemoveChildCertificate(ctx sdk.Context, issuer string, authorityKeyID string, +func (k msgServer) RemoveChildCertificate( + ctx sdk.Context, + issuer string, + authorityKeyID string, certIdentifier types.CertificateIdentifier, ) { childCertificates, _ := k.GetChildCertificates(ctx, issuer, authorityKeyID) diff --git a/x/pki/keeper/keeper.go b/x/pki/keeper/keeper.go index 817b787da..cc767562e 100644 --- a/x/pki/keeper/keeper.go +++ b/x/pki/keeper/keeper.go @@ -2,14 +2,13 @@ package keeper import ( "fmt" - "math" "github.com/cometbft/cometbft/libs/log" "github.com/cosmos/cosmos-sdk/codec" storetypes "github.com/cosmos/cosmos-sdk/store/types" sdk "github.com/cosmos/cosmos-sdk/types" + pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" - authTypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) @@ -43,221 +42,3 @@ func NewKeeper( func (k Keeper) Logger(ctx sdk.Context) log.Logger { return ctx.Logger().With("module", fmt.Sprintf("x/%s", pkitypes.ModuleName)) } - -func (k Keeper) CertificateApprovalsCount(ctx sdk.Context, authKeeper types.DclauthKeeper) int { - return int(math.Ceil(types.RootCertificateApprovalsPercent * - float64(authKeeper.CountAccountsWithRole(ctx, authTypes.Trustee)))) -} - -func (k Keeper) CertificateRejectApprovalsCount(ctx sdk.Context, authKeeper types.DclauthKeeper) int { - return authKeeper.CountAccountsWithRole(ctx, authTypes.Trustee) - k.CertificateApprovalsCount(ctx, authKeeper) + 1 -} - -func (k Keeper) EnsureVidMatches(ctx sdk.Context, owner string, signer string) error { - // get signer VID - signerAddr, err := sdk.AccAddressFromBech32(signer) - if err != nil { - return pkitypes.NewErrInvalidAddress(err) - } - - signerAccount, _ := k.dclauthKeeper.GetAccountO(ctx, signerAddr) - signerVid := signerAccount.VendorID - - // get owner VID - ownerAddr, err := sdk.AccAddressFromBech32(owner) - if err != nil { - return pkitypes.NewErrInvalidAddress(err) - } - - ownerAccount, _ := k.dclauthKeeper.GetAccountO(ctx, ownerAddr) - ownerVid := ownerAccount.VendorID - - if signerVid != ownerVid { - return pkitypes.NewErrUnauthorizedCertVendor(ownerVid) - } - - return nil -} - -func removeCertFromList(issuer string, serialNumber string, certs *[]*types.Certificate) { - certIndex := -1 - - for i, cert := range *certs { - if cert.SerialNumber == serialNumber && cert.Issuer == issuer { - certIndex = i - - break - } - } - if certIndex == -1 { - return - } - *certs = append((*certs)[:certIndex], (*certs)[certIndex+1:]...) -} - -func findCertificate(serialNumber string, certificates *[]*types.Certificate) (*types.Certificate, bool) { - for _, cert := range *certificates { - if cert.SerialNumber == serialNumber { - return cert, true - } - } - - return nil, false -} - -func filterCertificates(certificates *[]*types.Certificate, predicate CertificatePredicate) []*types.Certificate { - var result []*types.Certificate - - for _, s := range *certificates { - if predicate(s) { - result = append(result, s) - } - } - - return result -} - -func (k msgServer) AddCertificateToAllCertificateIndexes(ctx sdk.Context, certificate types.Certificate) { - // Add to the global list of certificates - k.AddAllCertificate(ctx, certificate) - - // append to global list of certificates indexed by subject - k.AddAllCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) -} - -func (k msgServer) AddCertificateToDaCertificateIndexes( - ctx sdk.Context, - certificate types.Certificate, - isRoot bool) { - // append new certificate to list of certificates with the same Subject/SubjectKeyID combination and store updated list - k.AddApprovedCertificate(ctx, certificate) - - // add to subject -> subject key ID map - k.AddApprovedCertificateBySubject(ctx, certificate.Subject, certificate.SubjectKeyId) - - // add to subject key ID -> certificates map - k.AddApprovedCertificateBySubjectKeyID(ctx, certificate) - - if isRoot { - // add to root certificates index - k.AddApprovedRootCertificate(ctx, certificate) - } else { - // add the certificate identifier to the issuer's Child Certificates record - k.AddChildCertificate(ctx, certificate) - } -} - -func (k msgServer) AddCertificateToNocCertificateIndexes( - ctx sdk.Context, - certificate types.Certificate, - isRoot bool) { - // Add to the list of all NOC certificates - k.AddNocCertificate(ctx, certificate) - - // add to certificates map indexed by { vid, subject key id } - k.AddNocCertificateByVidAndSkid(ctx, certificate) - - // add to certificates map indexed by { subject } - k.AddNocCertificateBySubject(ctx, certificate) - - // add to certificates map indexed by { subject key id } - k.AddNocCertificateBySubjectKeyID(ctx, certificate) - - if isRoot { - // Add to the list of NOC root certificates with the same VID - k.AddNocRootCertificate(ctx, certificate) - } else { - // Add to the list of NOC ica certificates with the same VID - k.AddNocIcaCertificate(ctx, certificate) - // add the certificate identifier to the issuer's Child Certificates record - k.AddChildCertificate(ctx, certificate) - } -} - -func (k msgServer) RemoveCertificateFromAllCertificateIndexes(ctx sdk.Context, certID types.CertificateIdentifier) { - // remove from global certificates map - k.RemoveAllCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from global subject -> subject key ID map - k.RemoveAllCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) -} - -func (k msgServer) RemoveCertificateFromDaCertificateIndexes( - ctx sdk.Context, - certID types.CertificateIdentifier, - isRoot bool) { - // remove from approved certificates map - k.RemoveApprovedCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject -> subject key ID map - k.RemoveApprovedCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - if isRoot { - k.RemoveApprovedRootCertificate(ctx, certID) - } -} - -func (k msgServer) RemoveCertificateFromNocCertificateIndexes( - ctx sdk.Context, - certID types.CertificateIdentifier, - accountVid int32, - isRoot bool) { - // remove from noc certificates map - k.RemoveNocCertificates(ctx, certID.Subject, certID.SubjectKeyId) - // remove from vid, subject key id map - k.RemoveNocCertificatesByVidAndSkid(ctx, accountVid, certID.SubjectKeyId) - // remove from subject -> subject key ID map - k.RemoveNocCertificateBySubject(ctx, certID.Subject, certID.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certID.Subject, certID.SubjectKeyId) - if isRoot { - // remove from noc root certificates map - k.RemoveNocRootCertificate(ctx, certID.Subject, certID.SubjectKeyId, accountVid) - } else { - // remove from noc ica certificates map - k.RemoveNocIcaCertificate(ctx, certID.Subject, certID.SubjectKeyId, accountVid) - } -} - -func (k msgServer) removeDaX509Cert( - ctx sdk.Context, - certID types.CertificateIdentifier, - certificates *types.ApprovedCertificates, - serialNumber string) { - if len(certificates.Certs) == 0 { - // remove from global certificates map - k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) - // remove from noc certificates map - k.RemoveCertificateFromDaCertificateIndexes(ctx, certID, false) - } else { - k.RemoveAllCertificatesBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveApprovedCertificatesBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveApprovedCertificatesBySubjectKeyIDBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - } -} - -func (k msgServer) removeNocX509Cert( - ctx sdk.Context, - certID types.CertificateIdentifier, - certificates *types.NocCertificates, - accountVid int32, - serialNumber string, - isRoot bool, -) { - if len(certificates.Certs) == 0 { //nolint:nestif - // remove from global certificates map - k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) - // remove from noc certificates map - k.RemoveCertificateFromNocCertificateIndexes(ctx, certID, accountVid, isRoot) - } else { - k.RemoveAllCertificatesBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesBySubjectKeyIDBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesByVidAndSkidBySerialNumber(ctx, accountVid, certID.Subject, certID.SubjectKeyId, serialNumber) - - if isRoot { - k.RemoveNocRootCertificateBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, accountVid, serialNumber) - } else { - k.RemoveNocIcaCertificateBySerialNumber(ctx, certID.Subject, certID.SubjectKeyId, accountVid, serialNumber) - } - } -} diff --git a/x/pki/keeper/msg_server_add_noc_x_509_ica_cert.go b/x/pki/keeper/msg_server_add_noc_x_509_ica_cert.go index 95db2526e..db932346d 100644 --- a/x/pki/keeper/msg_server_add_noc_x_509_ica_cert.go +++ b/x/pki/keeper/msg_server_add_noc_x_509_ica_cert.go @@ -104,18 +104,10 @@ func (k msgServer) AddNocX509IcaCert(goCtx context.Context, msg *types.MsgAddNoc ) // register the unique certificate key - uniqueCertificate := types.UniqueCertificate{ - Issuer: x509Certificate.Issuer, - SerialNumber: x509Certificate.SerialNumber, - Present: true, - } - k.SetUniqueCertificate(ctx, uniqueCertificate) - - // Add to the indexes for global certificates list - k.AddCertificateToAllCertificateIndexes(ctx, certificate) + k.SetUniqueX509Certificate(ctx, x509Certificate) - // Add to the indexes for noc certificates list - k.AddCertificateToNocCertificateIndexes(ctx, certificate, false) + // store Noc certificate in indexes + k.StoreNocCertificate(ctx, certificate, false) return &types.MsgAddNocX509IcaCertResponse{}, nil } diff --git a/x/pki/keeper/msg_server_add_noc_x_509_root_cert.go b/x/pki/keeper/msg_server_add_noc_x_509_root_cert.go index 2703f6559..1954acda6 100644 --- a/x/pki/keeper/msg_server_add_noc_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_add_noc_x_509_root_cert.go @@ -85,18 +85,10 @@ func (k msgServer) AddNocX509RootCert(goCtx context.Context, msg *types.MsgAddNo ) // register the unique certificate key - uniqueCertificate := types.UniqueCertificate{ - Issuer: x509Certificate.Issuer, - SerialNumber: x509Certificate.SerialNumber, - Present: true, - } - k.SetUniqueCertificate(ctx, uniqueCertificate) - - // Add to the indexes for global certificates list - k.AddCertificateToAllCertificateIndexes(ctx, certificate) + k.SetUniqueX509Certificate(ctx, x509Certificate) - // Add to the indexes for noc certificates list - k.AddCertificateToNocCertificateIndexes(ctx, certificate, true) + // store Noc certificate in indexes + k.StoreNocCertificate(ctx, certificate, true) return &types.MsgAddNocX509RootCertResponse{}, nil } diff --git a/x/pki/keeper/msg_server_add_x_509_cert.go b/x/pki/keeper/msg_server_add_x_509_cert.go index f61ebc167..69b3c5ab1 100644 --- a/x/pki/keeper/msg_server_add_x_509_cert.go +++ b/x/pki/keeper/msg_server_add_x_509_cert.go @@ -108,18 +108,10 @@ func (k msgServer) AddX509Cert(goCtx context.Context, msg *types.MsgAddX509Cert) ) // register the unique certificate key - uniqueCertificate := types.UniqueCertificate{ - Issuer: x509Certificate.Issuer, - SerialNumber: x509Certificate.SerialNumber, - Present: true, - } - k.SetUniqueCertificate(ctx, uniqueCertificate) - - // Add to the indexes for global certificates list - k.AddCertificateToAllCertificateIndexes(ctx, certificate) + k.SetUniqueX509Certificate(ctx, x509Certificate) - // Add to the indexes for DA certificates list - k.AddCertificateToDaCertificateIndexes(ctx, certificate, false) + // store DA certificate in indexes + k.StoreDaCertificate(ctx, certificate, false) return &types.MsgAddX509CertResponse{}, nil } diff --git a/x/pki/keeper/msg_server_approve_add_x_509_root_cert.go b/x/pki/keeper/msg_server_approve_add_x_509_root_cert.go index c38cbe24f..a735b3544 100644 --- a/x/pki/keeper/msg_server_approve_add_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_approve_add_x_509_root_cert.go @@ -79,11 +79,8 @@ func (k msgServer) ApproveAddX509RootCert(goCtx context.Context, msg *types.MsgA // delete proposed certificate k.RemoveProposedCertificate(ctx, msg.Subject, msg.SubjectKeyId) - // Add to the indexes for global certificates list - k.AddCertificateToAllCertificateIndexes(ctx, rootCertificate) - - // Add to the indexes for DA certificates list - k.AddCertificateToDaCertificateIndexes(ctx, rootCertificate, true) + // store DA certificate in indexes + k.StoreDaCertificate(ctx, rootCertificate, true) } else { // update proposed certificate k.SetProposedCertificate(ctx, proposedCertificate) diff --git a/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go b/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go index 28ae6a7ac..8841671ba 100644 --- a/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go @@ -65,9 +65,12 @@ func (k msgServer) ApproveRevokeX509RootCert(goCtx context.Context, msg *types.M k.RemoveProposedCertificateRevocation(ctx, msg.Subject, msg.SubjectKeyId, msg.SerialNumber) if msg.SerialNumber != "" { - k._revokeRootCertificateBySerialNumber(ctx, revocation.Approvals, msg.SerialNumber, certificates, revocation.SchemaVersion) + err := k.revokeRootCertificateBySerialNumber(ctx, revocation.Approvals, msg.SerialNumber, certificates) + if err != nil { + return nil, err + } } else { - k._revokeRootCertificates(ctx, revocation.Approvals, certificates, revocation.SchemaVersion) + k.revokeRootCertificate(ctx, revocation.Approvals, certificates, revocation.SchemaVersion) } if revocation.RevokeChild { @@ -80,7 +83,7 @@ func (k msgServer) ApproveRevokeX509RootCert(goCtx context.Context, msg *types.M return &types.MsgApproveRevokeX509RootCertResponse{}, nil } -func (k msgServer) _revokeRootCertificates( +func (k msgServer) revokeRootCertificate( ctx sdk.Context, approvals []*types.Grant, certificates types.ApprovedCertificates, @@ -92,29 +95,23 @@ func (k msgServer) _revokeRootCertificates( cert.Approvals = approvals } } - certID := types.CertificateIdentifier{ - Subject: certificates.Subject, - SubjectKeyId: certificates.SubjectKeyId, - } // remove from root certs index, add to revoked root certs k.AddRevokedCertificates(ctx, types.RevokedCertificates(certificates)) - - // Remove certificate from global list - k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) - - // Remove certificate from da list - k.RemoveCertificateFromDaCertificateIndexes(ctx, certID, true) + // remove certificate from da list + k.RemoveDaCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, true) } -func (k msgServer) _revokeRootCertificateBySerialNumber( +func (k msgServer) revokeRootCertificateBySerialNumber( ctx sdk.Context, approvals []*types.Grant, serialNumber string, certificates types.ApprovedCertificates, - schemaVersion uint32, -) { - cert, _ := findCertificate(serialNumber, &certificates.Certs) +) error { + cert, found := FindCertificateInList(serialNumber, &certificates.Certs) + if !found { + return pkitypes.NewErrCertificateBySerialNumberDoesNotExist(certificates.Subject, certificates.SubjectKeyId, serialNumber) + } cert.Approvals = approvals revCert := types.RevokedCertificates{ Subject: cert.Subject, @@ -126,22 +123,15 @@ func (k msgServer) _revokeRootCertificateBySerialNumber( // remove from root certs index, add to revoked root certs k.AddRevokedCertificates(ctx, revCert) - removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates.Certs) - - if len(certificates.Certs) == 0 { - certID := types.CertificateIdentifier{ - Subject: certificates.Subject, - SubjectKeyId: certificates.SubjectKeyId, - } - - // Remove certificate from global list - k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) - - // Remove certificate from da list - k.RemoveCertificateFromDaCertificateIndexes(ctx, certID, true) - } else { - k.SetApprovedCertificates(ctx, certificates) - k.RemoveAllCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveApprovedCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - } + // remove from certificate indexes + k.RemoveDaCertificateBySerialNumber( + ctx, + cert.Subject, + cert.SubjectKeyId, + &certificates, + cert.SerialNumber, + cert.Issuer, + ) + + return nil } diff --git a/x/pki/keeper/msg_server_propose_add_x_509_root_cert.go b/x/pki/keeper/msg_server_propose_add_x_509_root_cert.go index ccd786dac..79e2b2c8e 100644 --- a/x/pki/keeper/msg_server_propose_add_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_propose_add_x_509_root_cert.go @@ -109,12 +109,7 @@ func (k msgServer) ProposeAddX509RootCert(goCtx context.Context, msg *types.MsgP } // register the unique certificate key - uniqueCertificate := types.UniqueCertificate{ - Issuer: x509Certificate.Issuer, - SerialNumber: x509Certificate.SerialNumber, - Present: true, - } - k.SetUniqueCertificate(ctx, uniqueCertificate) + k.SetUniqueX509Certificate(ctx, x509Certificate) return &types.MsgProposeAddX509RootCertResponse{}, nil } diff --git a/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go b/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go index a01a0a514..85f4c6fdd 100644 --- a/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_propose_revoke_x_509_root_cert.go @@ -47,7 +47,7 @@ func (k msgServer) ProposeRevokeX509RootCert(goCtx context.Context, msg *types.M } // fail if cert with serial number does not exist if msg.SerialNumber != "" { - _, found = findCertificate(msg.SerialNumber, &certificates.Certs) + _, found = FindCertificateInList(msg.SerialNumber, &certificates.Certs) if !found { return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist( msg.Subject, msg.SubjectKeyId, msg.SerialNumber, diff --git a/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go b/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go index 2ab767662..f7a687c46 100644 --- a/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go +++ b/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go @@ -60,7 +60,7 @@ func (k msgServer) RemoveNocX509IcaCert(goCtx context.Context, msg *types.MsgRem } if msg.SerialNumber != "" { - certBySerialNumber, found := findCertificate(msg.SerialNumber, &certificates) + certBySerialNumber, found := FindCertificateInList(msg.SerialNumber, &certificates) if !found { return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist(msg.Subject, msg.SubjectKeyId, msg.SerialNumber) } @@ -70,22 +70,27 @@ func (k msgServer) RemoveNocX509IcaCert(goCtx context.Context, msg *types.MsgRem if foundActive { // Remove from certificates lists - removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &icaCerts.Certs) - k.removeNocX509Cert(ctx, certID, &icaCerts, accountVid, msg.SerialNumber, false) + k.RemoveNocCertBySerialNumber( + ctx, + certBySerialNumber.Subject, + certBySerialNumber.SubjectKeyId, + &icaCerts, + accountVid, + certBySerialNumber.SerialNumber, + certBySerialNumber.Issuer, + false, + ) } if foundRevoked { - removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) + RemoveCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) k.removeRevokedNocX509IcaCert(ctx, certID, &revCerts) } } else { - // remove from global certificates map - k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) - // remove from noc certificates map - k.RemoveCertificateFromNocCertificateIndexes(ctx, certID, accountVid, false) // remove from revoked list k.RemoveRevokedNocIcaCertificates(ctx, certID.Subject, certID.SubjectKeyId) - + // remove from noc certificates map + k.RemoveNocCertificate(ctx, cert.Subject, cert.SubjectKeyId, accountVid, false) // remove from subject with serialNumber map for _, cert := range certificates { k.RemoveUniqueCertificate(ctx, cert.Issuer, cert.SerialNumber) diff --git a/x/pki/keeper/msg_server_remove_noc_x_509_root_cert.go b/x/pki/keeper/msg_server_remove_noc_x_509_root_cert.go index 8972cafa6..ee65c2600 100644 --- a/x/pki/keeper/msg_server_remove_noc_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_remove_noc_x_509_root_cert.go @@ -56,7 +56,7 @@ func (k msgServer) RemoveNocX509RootCert(goCtx context.Context, msg *types.MsgRe } if msg.SerialNumber != "" { - certBySerialNumber, found := findCertificate(msg.SerialNumber, &certificates) + certBySerialNumber, found := FindCertificateInList(msg.SerialNumber, &certificates) if !found { return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist(msg.Subject, msg.SubjectKeyId, msg.SerialNumber) } @@ -66,21 +66,27 @@ func (k msgServer) RemoveNocX509RootCert(goCtx context.Context, msg *types.MsgRe if foundActive { // Remove from lists - removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &nocCerts.Certs) - k.removeNocX509Cert(ctx, certID, &nocCerts, accountVid, msg.SerialNumber, true) + k.RemoveNocCertBySerialNumber( + ctx, + certBySerialNumber.Subject, + certBySerialNumber.SubjectKeyId, + &nocCerts, + accountVid, + msg.SerialNumber, + cert.Issuer, + true, + ) } if foundRevoked { - removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) + RemoveCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) k.removeRevokedNocX509RootCert(ctx, certID, &revCerts) } } else { - // remove from global certificates map - k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) - // remove from noc certificates map - k.RemoveCertificateFromNocCertificateIndexes(ctx, certID, accountVid, true) // remove from revoked noc root certs k.RemoveRevokedNocRootCertificates(ctx, certID.Subject, certID.SubjectKeyId) + // remove from noc certificates map + k.RemoveNocCertificate(ctx, cert.Subject, cert.SubjectKeyId, accountVid, true) // remove from subject with serialNumber map for _, cert := range certificates { k.RemoveUniqueCertificate(ctx, cert.Subject, cert.SerialNumber) diff --git a/x/pki/keeper/msg_server_remove_x_509_cert.go b/x/pki/keeper/msg_server_remove_x_509_cert.go index 5152cc25b..48ff20241 100644 --- a/x/pki/keeper/msg_server_remove_x_509_cert.go +++ b/x/pki/keeper/msg_server_remove_x_509_cert.go @@ -44,13 +44,8 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50 return nil, err } - certID := types.CertificateIdentifier{ - Subject: msg.Subject, - SubjectKeyId: msg.SubjectKeyId, - } - if msg.SerialNumber != "" { - certBySerialNumber, found := findCertificate(msg.SerialNumber, &certificates) + certBySerialNumber, found := FindCertificateInList(msg.SerialNumber, &certificates) if !found { return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist(msg.Subject, msg.SubjectKeyId, msg.SerialNumber) } @@ -59,26 +54,37 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50 k.RemoveUniqueCertificate(ctx, certBySerialNumber.Issuer, certBySerialNumber.SerialNumber) if foundApproved { - removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &aprCerts.Certs) - k.removeDaX509Cert(ctx, certID, &aprCerts, msg.SerialNumber) + k.RemoveDaCertificateBySerialNumber( + ctx, + certBySerialNumber.Subject, + certBySerialNumber.SubjectKeyId, + &aprCerts, + certBySerialNumber.SerialNumber, + certBySerialNumber.Issuer, + ) } if foundRevoked { - removeCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) - k.removeOrUpdateRevokedX509Cert(ctx, certID, &revCerts) + RemoveCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) + k.removeOrUpdateRevokedX509Cert(ctx, msg.Subject, msg.SubjectKeyId, &revCerts) } } else { - // remove from global certificates map - k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) - // remove from noc certificates map - k.RemoveCertificateFromDaCertificateIndexes(ctx, certID, false) - // remove from revoked list - k.RemoveRevokedCertificates(ctx, certID.Subject, certID.SubjectKeyId) - - // remove from subject with serialNumber map - for _, cert := range certificates { - k.RemoveUniqueCertificate(ctx, cert.Issuer, cert.SerialNumber) - } + k.revokeCertificate(ctx, aprCerts) } return &types.MsgRemoveX509CertResponse{}, nil } + +func (k msgServer) revokeCertificate( + ctx sdk.Context, + certificates types.ApprovedCertificates, +) { + // remove from noc certificates map + k.RemoveDaCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, false) + // remove from revoked list + k.RemoveRevokedCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) + + // remove from subject with serialNumber map + for _, cert := range certificates.Certs { + k.RemoveUniqueCertificate(ctx, cert.Issuer, cert.SerialNumber) + } +} diff --git a/x/pki/keeper/msg_server_revoke_noc_x_509_ica_cert.go b/x/pki/keeper/msg_server_revoke_noc_x_509_ica_cert.go index 00ae009a2..18e9bf03a 100644 --- a/x/pki/keeper/msg_server_revoke_noc_x_509_ica_cert.go +++ b/x/pki/keeper/msg_server_revoke_noc_x_509_ica_cert.go @@ -44,12 +44,12 @@ func (k msgServer) RevokeNocX509IcaCert(goCtx context.Context, msg *types.MsgRev } if msg.SerialNumber != "" { - err = k._revokeNocCertificate(ctx, msg.SerialNumber, certificates, cert.Vid) + err = k.revokeNocIcaCertificateBySerialNumber(ctx, msg.SerialNumber, certificates, cert.Vid) if err != nil { return nil, err } } else { - k._revokeNocIcaCertificates(ctx, certificates, cert.Vid) + k.revokeNocIcaCertificate(ctx, certificates, cert.Vid) } if msg.RevokeChild { @@ -60,68 +60,59 @@ func (k msgServer) RevokeNocX509IcaCert(goCtx context.Context, msg *types.MsgRev return &types.MsgRevokeNocX509IcaCertResponse{}, nil } -func (k msgServer) _revokeNocCertificate( +func (k msgServer) revokeNocIcaCertificateBySerialNumber( ctx sdk.Context, serialNumber string, certificates types.NocCertificates, vid int32, ) error { - cert, found := findCertificate(serialNumber, &certificates.Certs) + cert, found := FindCertificateInList(serialNumber, &certificates.Certs) if !found { return pkitypes.NewErrCertificateBySerialNumberDoesNotExist( certificates.Subject, certificates.SubjectKeyId, serialNumber, ) } - revCerts := types.RevokedNocIcaCertificates{ + k.AddRevokedNocIcaCertificates(ctx, types.RevokedNocIcaCertificates{ Subject: cert.Subject, SubjectKeyId: cert.SubjectKeyId, Certs: []*types.Certificate{cert}, - } - k.AddRevokedNocIcaCertificates(ctx, revCerts) + }) - removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates.Certs) - - certID := types.CertificateIdentifier{ - Subject: certificates.Subject, - SubjectKeyId: certificates.SubjectKeyId, - } + k.RemoveNocCertBySerialNumber( + ctx, + cert.Subject, + cert.SubjectKeyId, + &certificates, + vid, + cert.SerialNumber, + cert.Issuer, + false, + ) if len(certificates.Certs) == 0 { - // Remove certificate from global list - k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) - // Remove certificate from noc list - k.RemoveCertificateFromNocCertificateIndexes(ctx, certID, vid, false) - } else { - k.RemoveAllCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveNocIcaCertificateBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, vid, serialNumber) - k.RemoveNocCertificatesByVidAndSkidBySerialNumber(ctx, vid, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) + k.RemoveChildCertificate(ctx, cert.Issuer, cert.AuthorityKeyId, types.CertificateIdentifier{ + Subject: certificates.Subject, + SubjectKeyId: certificates.SubjectKeyId, + }) } return nil } -func (k msgServer) _revokeNocIcaCertificates(ctx sdk.Context, certificates types.NocCertificates, vid int32) { +func (k msgServer) revokeNocIcaCertificate(ctx sdk.Context, certificates types.NocCertificates, vid int32) { + certID := types.CertificateIdentifier{ + Subject: certificates.Subject, + SubjectKeyId: certificates.SubjectKeyId, + } // Add certs into revoked lists k.AddRevokedNocIcaCertificates(ctx, types.RevokedNocIcaCertificates{ Subject: certificates.Subject, SubjectKeyId: certificates.SubjectKeyId, Certs: certificates.Certs, }) - // remove cert from global certs list - k.RemoveAllCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from global certs list -> subject key ID map - k.RemoveAllCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from NOC certs list - k.RemoveNocCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove cert from NOC ica certs list - k.RemoveNocIcaCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, vid) - // remove from subject -> subject key ID map - k.RemoveNocCertificateBySubject(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove from subject key ID -> certificates map - k.RemoveNocCertificatesBySubjectAndSubjectKeyID(ctx, certificates.Subject, certificates.SubjectKeyId) - // remove from vid, subject key ID -> certificates map - k.RemoveNocCertificateByVidSubjectAndSkid(ctx, vid, certificates.Subject, certificates.SubjectKeyId) + // Remove certificate from noc list + k.RemoveNocCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, vid, false) + // Remove certificate identifier from issuer's ChildCertificates record + k.RemoveChildCertificate(ctx, certificates.Certs[0].Issuer, certificates.Certs[0].AuthorityKeyId, certID) } diff --git a/x/pki/keeper/msg_server_revoke_noc_x_509_root_cert.go b/x/pki/keeper/msg_server_revoke_noc_x_509_root_cert.go index 5495840e8..e8872dabb 100644 --- a/x/pki/keeper/msg_server_revoke_noc_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_revoke_noc_x_509_root_cert.go @@ -45,83 +45,62 @@ func (k msgServer) RevokeNocX509RootCert(goCtx context.Context, msg *types.MsgRe } if msg.SerialNumber != "" { - err = k._revokeNocRootCertificateBySerialNumber(ctx, msg.SerialNumber, certificates, cert.Vid) + err = k.revokeNocRootCertificateBySerialNumber(ctx, msg.SerialNumber, certificates, cert.Vid) if err != nil { return nil, err } } else { - k._revokeNocRootCertificates(ctx, certificates, cert.Vid) + k.revokeNocRootCertificate(ctx, certificates, cert.Vid) } if msg.RevokeChild { - certID := types.CertificateIdentifier{ - Subject: msg.Subject, - SubjectKeyId: msg.SubjectKeyId, - } // Remove certificate identifier from issuer's ChildCertificates record - k.RevokeNocChildCertificates(ctx, certID.Subject, certID.SubjectKeyId) + k.RevokeNocChildCertificates(ctx, msg.Subject, msg.SubjectKeyId) } return &types.MsgRevokeNocX509RootCertResponse{}, nil } -func (k msgServer) _revokeNocRootCertificateBySerialNumber( +func (k msgServer) revokeNocRootCertificateBySerialNumber( ctx sdk.Context, serialNumber string, certificates types.NocCertificates, vid int32, ) error { - cert, found := findCertificate(serialNumber, &certificates.Certs) + cert, found := FindCertificateInList(serialNumber, &certificates.Certs) if !found { return pkitypes.NewErrCertificateBySerialNumberDoesNotExist( certificates.Subject, certificates.SubjectKeyId, serialNumber, ) } - revNocCerts := types.RevokedNocRootCertificates{ + k.AddRevokedNocRootCertificates(ctx, types.RevokedNocRootCertificates{ Subject: certificates.Subject, SubjectKeyId: certificates.SubjectKeyId, Certs: []*types.Certificate{cert}, - } - k.AddRevokedNocRootCertificates(ctx, revNocCerts) - - removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates.Certs) - - certID := types.CertificateIdentifier{ - Subject: cert.Subject, - SubjectKeyId: cert.SubjectKeyId, - } + }) - if len(certificates.Certs) == 0 { - // Remove certificate from global list - k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) - // Remove certificate from noc list - k.RemoveCertificateFromNocCertificateIndexes(ctx, certID, vid, true) - } else { - k.RemoveAllCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveNocRootCertificateBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, vid, serialNumber) - k.RemoveNocCertificatesByVidAndSkidBySerialNumber(ctx, vid, cert.Subject, cert.SubjectKeyId, serialNumber) - k.RemoveNocCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, serialNumber) - } + k.RemoveNocCertBySerialNumber( + ctx, + cert.Subject, + cert.SubjectKeyId, + &certificates, + vid, + serialNumber, + cert.Issuer, + true, + ) return nil } -func (k msgServer) _revokeNocRootCertificates(ctx sdk.Context, certificates types.NocCertificates, vid int32) { +func (k msgServer) revokeNocRootCertificate(ctx sdk.Context, certificates types.NocCertificates, vid int32) { // Add certs into revoked lists k.AddRevokedNocRootCertificates(ctx, types.RevokedNocRootCertificates{ Subject: certificates.Subject, SubjectKeyId: certificates.SubjectKeyId, Certs: certificates.Certs, }) - - certID := types.CertificateIdentifier{ - Subject: certificates.Subject, - SubjectKeyId: certificates.SubjectKeyId, - } - // Remove certificate from global list - k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) // Remove certificate from noc list - k.RemoveCertificateFromNocCertificateIndexes(ctx, certID, vid, true) + k.RemoveNocCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, vid, true) } diff --git a/x/pki/keeper/msg_server_revoke_x_509_cert.go b/x/pki/keeper/msg_server_revoke_x_509_cert.go index 219e4f115..5937daaad 100644 --- a/x/pki/keeper/msg_server_revoke_x_509_cert.go +++ b/x/pki/keeper/msg_server_revoke_x_509_cert.go @@ -41,14 +41,12 @@ func (k msgServer) RevokeX509Cert(goCtx context.Context, msg *types.MsgRevokeX50 } if msg.SerialNumber != "" { - certBySerialNumber, found := findCertificate(msg.SerialNumber, &certificates.Certs) - if !found { - return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist(msg.Subject, msg.SubjectKeyId, msg.SerialNumber) + err = k.revokeDaCertificateBySerialNumber(ctx, msg.SerialNumber, certificates) + if err != nil { + return nil, err } - - k._revokeX509Certificate(ctx, certBySerialNumber, certIdentifier, certificates) } else { - k._revokeX509Certificates(ctx, certIdentifier, certificates) + k.revokeDaCertificate(ctx, certIdentifier, certificates) } if msg.RevokeChild { @@ -59,40 +57,47 @@ func (k msgServer) RevokeX509Cert(goCtx context.Context, msg *types.MsgRevokeX50 return &types.MsgRevokeX509CertResponse{}, nil } -func (k msgServer) _revokeX509Certificates(ctx sdk.Context, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) { +func (k msgServer) revokeDaCertificate(ctx sdk.Context, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) { // Revoke certificates with given subject/subjectKeyID k.AddRevokedCertificates(ctx, types.RevokedCertificates(certificates)) - - // Remove certificate from global list - k.RemoveCertificateFromAllCertificateIndexes(ctx, certID) - // Remove certificate from da list - k.RemoveCertificateFromDaCertificateIndexes(ctx, certID, false) - + k.RemoveDaCertificate(ctx, certID.Subject, certID.SubjectKeyId, false) // Remove certificate identifier from issuer's ChildCertificates record k.RemoveChildCertificate(ctx, certificates.Certs[0].Issuer, certificates.Certs[0].AuthorityKeyId, certID) } -func (k msgServer) _revokeX509Certificate(ctx sdk.Context, cert *types.Certificate, certID types.CertificateIdentifier, certificates types.ApprovedCertificates) { - revCerts := types.RevokedCertificates{ +func (k msgServer) revokeDaCertificateBySerialNumber( + ctx sdk.Context, + serialNumber string, + certificates types.ApprovedCertificates, +) error { + cert, found := FindCertificateInList(serialNumber, &certificates.Certs) + if !found { + return pkitypes.NewErrCertificateBySerialNumberDoesNotExist(certificates.Subject, certificates.SubjectKeyId, serialNumber) + } + + k.AddRevokedCertificates(ctx, types.RevokedCertificates{ Subject: cert.Subject, SubjectKeyId: cert.SubjectKeyId, Certs: []*types.Certificate{cert}, SchemaVersion: cert.SchemaVersion, - } - k.AddRevokedCertificates(ctx, revCerts) + }) + + k.RemoveDaCertificateBySerialNumber( + ctx, + certificates.Subject, + certificates.SubjectKeyId, + &certificates, + cert.SerialNumber, + cert.Issuer, + ) - removeCertFromList(cert.Issuer, cert.SerialNumber, &certificates.Certs) if len(certificates.Certs) == 0 { - k.RemoveAllCertificates(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveAllCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveApprovedCertificates(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveApprovedCertificateBySubject(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveApprovedCertificatesBySubjectKeyID(ctx, cert.Subject, cert.SubjectKeyId) - k.RemoveChildCertificate(ctx, cert.Issuer, cert.AuthorityKeyId, certID) - } else { - k.RemoveAllCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, cert.SerialNumber) - k.RemoveApprovedCertificatesBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, cert.SerialNumber) - k.RemoveApprovedCertificatesBySubjectKeyIDBySerialNumber(ctx, cert.Subject, cert.SubjectKeyId, cert.SerialNumber) + k.RemoveChildCertificate(ctx, cert.Issuer, cert.AuthorityKeyId, types.CertificateIdentifier{ + Subject: certificates.Subject, + SubjectKeyId: certificates.SubjectKeyId, + }) } + + return nil } diff --git a/x/pki/keeper/noc_certificates_by_vid_and_skid.go b/x/pki/keeper/noc_certificates_by_vid_and_skid.go index 0e1368d04..00110d4bf 100644 --- a/x/pki/keeper/noc_certificates_by_vid_and_skid.go +++ b/x/pki/keeper/noc_certificates_by_vid_and_skid.go @@ -120,7 +120,7 @@ func (k Keeper) _filterAndSetNocCertificateByVidAndSkid( predicate CertificatePredicate, ) { nocCertificates, _ := k.GetNocCertificatesByVidAndSkid(ctx, vid, subjectKeyID) - filteredCertificates := filterCertificates(&nocCertificates.Certs, predicate) + filteredCertificates := FilterCertificateList(&nocCertificates.Certs, predicate) if len(filteredCertificates) > 0 { nocCertificates.Certs = filteredCertificates diff --git a/x/pki/keeper/revoked_certificates.go b/x/pki/keeper/revoked_certificates.go index d9566d852..d71bbe1ee 100644 --- a/x/pki/keeper/revoked_certificates.go +++ b/x/pki/keeper/revoked_certificates.go @@ -96,9 +96,13 @@ func (k Keeper) AddRevokedCertificates(ctx sdk.Context, approvedCertificates typ ), b) } -func (k msgServer) removeOrUpdateRevokedX509Cert(ctx sdk.Context, certID types.CertificateIdentifier, certificates *types.RevokedCertificates) { +func (k msgServer) removeOrUpdateRevokedX509Cert( + ctx sdk.Context, + subject string, + subjectKeyID string, + certificates *types.RevokedCertificates) { if len(certificates.Certs) == 0 { - k.RemoveRevokedCertificates(ctx, certID.Subject, certID.SubjectKeyId) + k.RemoveRevokedCertificates(ctx, subject, subjectKeyID) } else { k.SetRevokedCertificates( ctx, diff --git a/x/pki/keeper/unique_certificate.go b/x/pki/keeper/unique_certificate.go index bfa1b9e5b..272ab82ad 100644 --- a/x/pki/keeper/unique_certificate.go +++ b/x/pki/keeper/unique_certificate.go @@ -5,6 +5,7 @@ import ( sdk "github.com/cosmos/cosmos-sdk/types" pkitypes "github.com/zigbee-alliance/distributed-compliance-ledger/types/pki" "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/x509" ) // SetUniqueCertificate set a specific uniqueCertificate in the store from its index. @@ -17,6 +18,16 @@ func (k Keeper) SetUniqueCertificate(ctx sdk.Context, uniqueCertificate types.Un ), b) } +// SetUniqueX509Certificate set a specific x509 certificate in the store from its index. +func (k Keeper) SetUniqueX509Certificate(ctx sdk.Context, x509Certificate *x509.Certificate) { + uniqueCertificate := types.UniqueCertificate{ + Issuer: x509Certificate.Issuer, + SerialNumber: x509Certificate.SerialNumber, + Present: true, + } + k.SetUniqueCertificate(ctx, uniqueCertificate) +} + // GetUniqueCertificate returns a uniqueCertificate from its index. func (k Keeper) GetUniqueCertificate( ctx sdk.Context, From 8f1f9f63f2101af6b0659667e949a5dd282eadec Mon Sep 17 00:00:00 2001 From: "artem.ivanov" Date: Wed, 20 Nov 2024 15:38:17 +0300 Subject: [PATCH 3/8] Fixed integration tests --- x/pki/keeper/certificate_helpers.go | 3 ++- ...g_server_approve_revoke_x_509_root_cert.go | 1 + x/pki/keeper/msg_server_remove_x_509_cert.go | 25 +++++++------------ x/pki/keeper/msg_server_revoke_x_509_cert.go | 1 + .../handler_add_noc_ica_cert_test.go | 2 +- .../handler_add_noc_root_cert_test.go | 2 +- .../{ => tests}/handler_add_paa_cert_test.go | 2 +- .../{ => tests}/handler_add_pai_cert_test.go | 2 +- .../handler_add_revocation_test.go | 2 +- x/pki/{ => tests}/handler_assign_vid_test.go | 2 +- .../handler_delete_revocation_test.go | 2 +- .../handler_remove_noc_ica_cert_test.go | 2 +- .../handler_remove_noc_root_cert_test.go | 2 +- .../handler_remove_pai_cert_test.go | 2 +- .../handler_revoke_noc_ica_cert_test.go | 2 +- .../handler_revoke_noc_root_cert_test.go | 2 +- .../handler_revoke_paa_cert_test.go | 2 +- .../handler_revoke_pai_cert_test.go | 2 +- x/pki/{ => tests}/handler_test.go | 5 ++-- .../handler_update_revocation_test.go | 2 +- .../revocation_message_utils_test.go | 2 +- 21 files changed, 32 insertions(+), 35 deletions(-) rename x/pki/{ => tests}/handler_add_noc_ica_cert_test.go (99%) rename x/pki/{ => tests}/handler_add_noc_root_cert_test.go (99%) rename x/pki/{ => tests}/handler_add_paa_cert_test.go (99%) rename x/pki/{ => tests}/handler_add_pai_cert_test.go (99%) rename x/pki/{ => tests}/handler_add_revocation_test.go (99%) rename x/pki/{ => tests}/handler_assign_vid_test.go (99%) rename x/pki/{ => tests}/handler_delete_revocation_test.go (99%) rename x/pki/{ => tests}/handler_remove_noc_ica_cert_test.go (99%) rename x/pki/{ => tests}/handler_remove_noc_root_cert_test.go (99%) rename x/pki/{ => tests}/handler_remove_pai_cert_test.go (99%) rename x/pki/{ => tests}/handler_revoke_noc_ica_cert_test.go (99%) rename x/pki/{ => tests}/handler_revoke_noc_root_cert_test.go (99%) rename x/pki/{ => tests}/handler_revoke_paa_cert_test.go (99%) rename x/pki/{ => tests}/handler_revoke_pai_cert_test.go (99%) rename x/pki/{ => tests}/handler_test.go (99%) rename x/pki/{ => tests}/handler_update_revocation_test.go (99%) rename x/pki/{ => tests}/revocation_message_utils_test.go (99%) diff --git a/x/pki/keeper/certificate_helpers.go b/x/pki/keeper/certificate_helpers.go index ea56b0d3c..6e1601465 100644 --- a/x/pki/keeper/certificate_helpers.go +++ b/x/pki/keeper/certificate_helpers.go @@ -159,11 +159,12 @@ func (k msgServer) RemoveDaCertificateBySerialNumber( certificates *types.ApprovedCertificates, serialNumber string, issuer string, + isRoot bool, ) { RemoveCertFromList(issuer, serialNumber, &certificates.Certs) if len(certificates.Certs) == 0 { - k.RemoveDaCertificate(ctx, subject, subjectKeyID, false) + k.RemoveDaCertificate(ctx, subject, subjectKeyID, isRoot) } else { k.RemoveAllCertificatesBySerialNumber(ctx, subject, subjectKeyID, serialNumber) k.RemoveAllCertificatesBySubjectKeyIDBySerialNumber(ctx, subject, subjectKeyID, serialNumber) diff --git a/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go b/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go index 8841671ba..f0c51889e 100644 --- a/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go +++ b/x/pki/keeper/msg_server_approve_revoke_x_509_root_cert.go @@ -131,6 +131,7 @@ func (k msgServer) revokeRootCertificateBySerialNumber( &certificates, cert.SerialNumber, cert.Issuer, + true, ) return nil diff --git a/x/pki/keeper/msg_server_remove_x_509_cert.go b/x/pki/keeper/msg_server_remove_x_509_cert.go index 48ff20241..9a3b592fc 100644 --- a/x/pki/keeper/msg_server_remove_x_509_cert.go +++ b/x/pki/keeper/msg_server_remove_x_509_cert.go @@ -61,6 +61,7 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50 &aprCerts, certBySerialNumber.SerialNumber, certBySerialNumber.Issuer, + false, ) } if foundRevoked { @@ -68,23 +69,15 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50 k.removeOrUpdateRevokedX509Cert(ctx, msg.Subject, msg.SubjectKeyId, &revCerts) } } else { - k.revokeCertificate(ctx, aprCerts) + // remove from noc certificates map + k.RemoveDaCertificate(ctx, msg.Subject, msg.SubjectKeyId, false) + // remove from revoked list + k.RemoveRevokedCertificates(ctx, msg.Subject, msg.SubjectKeyId) + // remove from subject with serialNumber map + for _, cert := range certificates { + k.RemoveUniqueCertificate(ctx, cert.Issuer, cert.SerialNumber) + } } return &types.MsgRemoveX509CertResponse{}, nil } - -func (k msgServer) revokeCertificate( - ctx sdk.Context, - certificates types.ApprovedCertificates, -) { - // remove from noc certificates map - k.RemoveDaCertificate(ctx, certificates.Subject, certificates.SubjectKeyId, false) - // remove from revoked list - k.RemoveRevokedCertificates(ctx, certificates.Subject, certificates.SubjectKeyId) - - // remove from subject with serialNumber map - for _, cert := range certificates.Certs { - k.RemoveUniqueCertificate(ctx, cert.Issuer, cert.SerialNumber) - } -} diff --git a/x/pki/keeper/msg_server_revoke_x_509_cert.go b/x/pki/keeper/msg_server_revoke_x_509_cert.go index 5937daaad..3b3eab9ee 100644 --- a/x/pki/keeper/msg_server_revoke_x_509_cert.go +++ b/x/pki/keeper/msg_server_revoke_x_509_cert.go @@ -90,6 +90,7 @@ func (k msgServer) revokeDaCertificateBySerialNumber( &certificates, cert.SerialNumber, cert.Issuer, + false, ) if len(certificates.Certs) == 0 { diff --git a/x/pki/handler_add_noc_ica_cert_test.go b/x/pki/tests/handler_add_noc_ica_cert_test.go similarity index 99% rename from x/pki/handler_add_noc_ica_cert_test.go rename to x/pki/tests/handler_add_noc_ica_cert_test.go index 7b5d1bdc0..579178fa8 100644 --- a/x/pki/handler_add_noc_ica_cert_test.go +++ b/x/pki/tests/handler_add_noc_ica_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_add_noc_root_cert_test.go b/x/pki/tests/handler_add_noc_root_cert_test.go similarity index 99% rename from x/pki/handler_add_noc_root_cert_test.go rename to x/pki/tests/handler_add_noc_root_cert_test.go index 46bd22302..57c8d49fa 100644 --- a/x/pki/handler_add_noc_root_cert_test.go +++ b/x/pki/tests/handler_add_noc_root_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_add_paa_cert_test.go b/x/pki/tests/handler_add_paa_cert_test.go similarity index 99% rename from x/pki/handler_add_paa_cert_test.go rename to x/pki/tests/handler_add_paa_cert_test.go index 871c10eeb..fceeb998b 100644 --- a/x/pki/handler_add_paa_cert_test.go +++ b/x/pki/tests/handler_add_paa_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "math" diff --git a/x/pki/handler_add_pai_cert_test.go b/x/pki/tests/handler_add_pai_cert_test.go similarity index 99% rename from x/pki/handler_add_pai_cert_test.go rename to x/pki/tests/handler_add_pai_cert_test.go index a6114db51..5dfb38847 100644 --- a/x/pki/handler_add_pai_cert_test.go +++ b/x/pki/tests/handler_add_pai_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_add_revocation_test.go b/x/pki/tests/handler_add_revocation_test.go similarity index 99% rename from x/pki/handler_add_revocation_test.go rename to x/pki/tests/handler_add_revocation_test.go index 2b7e8e4b9..37ba9801d 100644 --- a/x/pki/handler_add_revocation_test.go +++ b/x/pki/tests/handler_add_revocation_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_assign_vid_test.go b/x/pki/tests/handler_assign_vid_test.go similarity index 99% rename from x/pki/handler_assign_vid_test.go rename to x/pki/tests/handler_assign_vid_test.go index 410500266..31b148079 100644 --- a/x/pki/handler_assign_vid_test.go +++ b/x/pki/tests/handler_assign_vid_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_delete_revocation_test.go b/x/pki/tests/handler_delete_revocation_test.go similarity index 99% rename from x/pki/handler_delete_revocation_test.go rename to x/pki/tests/handler_delete_revocation_test.go index bc2919b61..908af4135 100644 --- a/x/pki/handler_delete_revocation_test.go +++ b/x/pki/tests/handler_delete_revocation_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_remove_noc_ica_cert_test.go b/x/pki/tests/handler_remove_noc_ica_cert_test.go similarity index 99% rename from x/pki/handler_remove_noc_ica_cert_test.go rename to x/pki/tests/handler_remove_noc_ica_cert_test.go index 93140816a..56574b9f6 100644 --- a/x/pki/handler_remove_noc_ica_cert_test.go +++ b/x/pki/tests/handler_remove_noc_ica_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_remove_noc_root_cert_test.go b/x/pki/tests/handler_remove_noc_root_cert_test.go similarity index 99% rename from x/pki/handler_remove_noc_root_cert_test.go rename to x/pki/tests/handler_remove_noc_root_cert_test.go index 36bd8b81e..d68803ef9 100644 --- a/x/pki/handler_remove_noc_root_cert_test.go +++ b/x/pki/tests/handler_remove_noc_root_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_remove_pai_cert_test.go b/x/pki/tests/handler_remove_pai_cert_test.go similarity index 99% rename from x/pki/handler_remove_pai_cert_test.go rename to x/pki/tests/handler_remove_pai_cert_test.go index 80b81842b..1c06c0c11 100644 --- a/x/pki/handler_remove_pai_cert_test.go +++ b/x/pki/tests/handler_remove_pai_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_revoke_noc_ica_cert_test.go b/x/pki/tests/handler_revoke_noc_ica_cert_test.go similarity index 99% rename from x/pki/handler_revoke_noc_ica_cert_test.go rename to x/pki/tests/handler_revoke_noc_ica_cert_test.go index e5171f10a..6fb93d96a 100644 --- a/x/pki/handler_revoke_noc_ica_cert_test.go +++ b/x/pki/tests/handler_revoke_noc_ica_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_revoke_noc_root_cert_test.go b/x/pki/tests/handler_revoke_noc_root_cert_test.go similarity index 99% rename from x/pki/handler_revoke_noc_root_cert_test.go rename to x/pki/tests/handler_revoke_noc_root_cert_test.go index 334435aa2..48eb7bf27 100644 --- a/x/pki/handler_revoke_noc_root_cert_test.go +++ b/x/pki/tests/handler_revoke_noc_root_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_revoke_paa_cert_test.go b/x/pki/tests/handler_revoke_paa_cert_test.go similarity index 99% rename from x/pki/handler_revoke_paa_cert_test.go rename to x/pki/tests/handler_revoke_paa_cert_test.go index 09d724925..a24113057 100644 --- a/x/pki/handler_revoke_paa_cert_test.go +++ b/x/pki/tests/handler_revoke_paa_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "math" diff --git a/x/pki/handler_revoke_pai_cert_test.go b/x/pki/tests/handler_revoke_pai_cert_test.go similarity index 99% rename from x/pki/handler_revoke_pai_cert_test.go rename to x/pki/tests/handler_revoke_pai_cert_test.go index e36703547..14d456270 100644 --- a/x/pki/handler_revoke_pai_cert_test.go +++ b/x/pki/tests/handler_revoke_pai_cert_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/handler_test.go b/x/pki/tests/handler_test.go similarity index 99% rename from x/pki/handler_test.go rename to x/pki/tests/handler_test.go index f5a489536..3a52dfb88 100644 --- a/x/pki/handler_test.go +++ b/x/pki/tests/handler_test.go @@ -1,7 +1,8 @@ -package pki +package tests import ( "context" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki" "testing" "google.golang.org/grpc/codes" @@ -119,7 +120,7 @@ func Setup(t *testing.T) *TestSetup { Wctx: sdk.WrapSDKContext(ctx), Keeper: keeper, DclauthKeeper: dclauthKeeper, - Handler: NewHandler(*keeper), + Handler: pki.NewHandler(*keeper), Trustee1: GenerateAccAddress(), Trustee2: GenerateAccAddress(), Trustee3: GenerateAccAddress(), diff --git a/x/pki/handler_update_revocation_test.go b/x/pki/tests/handler_update_revocation_test.go similarity index 99% rename from x/pki/handler_update_revocation_test.go rename to x/pki/tests/handler_update_revocation_test.go index 3e08db1f4..bb6af8de4 100644 --- a/x/pki/handler_update_revocation_test.go +++ b/x/pki/tests/handler_update_revocation_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" diff --git a/x/pki/revocation_message_utils_test.go b/x/pki/tests/revocation_message_utils_test.go similarity index 99% rename from x/pki/revocation_message_utils_test.go rename to x/pki/tests/revocation_message_utils_test.go index 207b923c4..9f116f521 100644 --- a/x/pki/revocation_message_utils_test.go +++ b/x/pki/tests/revocation_message_utils_test.go @@ -1,4 +1,4 @@ -package pki +package tests import ( "testing" From 76cace6e05c9757aa117067fe0d32f8f80024226 Mon Sep 17 00:00:00 2001 From: "artem.ivanov" Date: Wed, 20 Nov 2024 18:15:11 +0300 Subject: [PATCH 4/8] Added design for unit test --- integration_tests/constants/noc_constants.go | 12 +- x/pki/keeper/child_certificates.go | 14 + .../keeper/grpc_query_revoked_certificates.go | 14 + .../msg_server_remove_noc_x_509_ica_cert.go | 10 +- x/pki/keeper/msg_server_remove_x_509_cert.go | 16 +- x/pki/keeper/proposed_certificate.go | 3 +- x/pki/keeper/revoked_noc_ica_certificates.go | 14 + x/pki/keeper/revoked_noc_root_certificates.go | 14 + x/pki/tests/handler_add_noc_ica_cert_test.go | 1 + x/pki/tests/handler_add_noc_root_cert_test.go | 1 + .../tests/handler_remove_noc_ica_cert_test.go | 57 ++++ .../handler_remove_noc_root_cert_test.go | 50 +++ x/pki/tests/handler_remove_pai_cert_test.go | 85 ++++- .../tests/handler_revoke_noc_ica_cert_test.go | 61 ++++ .../handler_revoke_noc_root_cert_test.go | 296 +++++++++++------- x/pki/tests/handler_revoke_paa_cert_test.go | 64 ++-- x/pki/tests/handler_revoke_pai_cert_test.go | 55 ++-- x/pki/tests/handler_test.go | 34 +- x/pki/tests/test-design.md | 180 +++++++++++ 19 files changed, 807 insertions(+), 174 deletions(-) create mode 100644 x/pki/tests/test-design.md diff --git a/integration_tests/constants/noc_constants.go b/integration_tests/constants/noc_constants.go index 1d2c96e0c..f114171ff 100644 --- a/integration_tests/constants/noc_constants.go +++ b/integration_tests/constants/noc_constants.go @@ -129,6 +129,7 @@ BAMCA0kAMEYCIQDzsjB569j1SsltNIP8CMTD4kRsTulqSp+O7JbQdWyzPAIhAODV zodhpBXZfzhHDvINejK8wzwWgf7Ds8wk3oENlmAj -----END CERTIFICATE-----` + NocRootCert1Issuer = "MHoxCzAJBgNVBAYTAlVaMRMwEQYDVQQIDApTb21lIFN0YXRlMREwDwYDVQQHDAhUYXNoa2VudDEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMQ4wDAYDVQQDDAVOT0MtMQ==" NocRootCert1Subject = "MHoxCzAJBgNVBAYTAlVaMRMwEQYDVQQIDApTb21lIFN0YXRlMREwDwYDVQQHDAhUYXNoa2VudDEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMQ4wDAYDVQQDDAVOT0MtMQ==" NocRootCert1SubjectKeyID = "44:EB:4C:62:6B:25:48:CD:A2:B3:1C:87:41:5A:08:E7:2B:B9:83:26" NocRootCert1SerialNumber = "47211865327720222621302679792296833381734533449" @@ -149,11 +150,12 @@ zodhpBXZfzhHDvINejK8wzwWgf7Ds8wk3oENlmAj NocRootCert3SerialNumber = "38457288443253426021793906708335409501754677187" NocRootCert3SubjectAsText = "CN=NOC-3,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU" - NocCert1Subject = "MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMQ==" - NocCert1Issuer = NocRootCert1Subject - NocCert1SubjectKeyID = "02:72:6E:BC:BB:EF:D6:BD:8D:9B:42:AE:D4:3C:C0:55:5F:66:3A:B3" - NocCert1SerialNumber = "631388393741945881054190991612463928825155142122" - NocCert1SubjectAsText = "CN=NOC-child-1,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ" + NocCert1Subject = "MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMQ==" + NocCert1Issuer = NocRootCert1Subject + NocCert1AuthorityKeyID = NocRootCert1SubjectKeyID + NocCert1SubjectKeyID = "02:72:6E:BC:BB:EF:D6:BD:8D:9B:42:AE:D4:3C:C0:55:5F:66:3A:B3" + NocCert1SerialNumber = "631388393741945881054190991612463928825155142122" + NocCert1SubjectAsText = "CN=NOC-child-1,OU=Testing Division,O=Example Company,L=Some State,ST=Some State,C=UZ" NocCert1CopySubject = "MIGCMQswCQYDVQQGEwJVWjETMBEGA1UECAwKU29tZSBTdGF0ZTETMBEGA1UEBwwKU29tZSBTdGF0ZTEYMBYGA1UECgwPRXhhbXBsZSBDb21wYW55MRkwFwYDVQQLDBBUZXN0aW5nIERpdmlzaW9uMRQwEgYDVQQDDAtOT0MtY2hpbGQtMQ==" NocCert1CopyIssuer = NocRootCert1Subject diff --git a/x/pki/keeper/child_certificates.go b/x/pki/keeper/child_certificates.go index 1ba16ce2e..6a6053bec 100644 --- a/x/pki/keeper/child_certificates.go +++ b/x/pki/keeper/child_certificates.go @@ -178,3 +178,17 @@ func (k msgServer) RemoveChildCertificate( k.RemoveChildCertificates(ctx, issuer, authorityKeyID) } } + +// IsChildCertificatePresent Check if the Child Certificate is present in the store. +func (k Keeper) IsChildCertificatePresent( + ctx sdk.Context, + issuer string, + authorityKeyID string, +) bool { + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.ChildCertificatesKeyPrefix)) + + return store.Has(types.ChildCertificatesKey( + issuer, + authorityKeyID, + )) +} diff --git a/x/pki/keeper/grpc_query_revoked_certificates.go b/x/pki/keeper/grpc_query_revoked_certificates.go index 0652726e9..f7ccf9e4d 100644 --- a/x/pki/keeper/grpc_query_revoked_certificates.go +++ b/x/pki/keeper/grpc_query_revoked_certificates.go @@ -57,3 +57,17 @@ func (k Keeper) RevokedCertificates(c context.Context, req *types.QueryGetRevoke return &types.QueryGetRevokedCertificatesResponse{RevokedCertificates: val}, nil } + +// IsRevokedCertificatePresent Check if the Revoked Certificate is present in the store. +func (k Keeper) IsRevokedCertificatePresent( + ctx sdk.Context, + subject string, + subjectKeyID string, +) bool { + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RevokedCertificatesKeyPrefix)) + + return store.Has(types.RevokedCertificatesKey( + subject, + subjectKeyID, + )) +} diff --git a/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go b/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go index f7a687c46..9072007c6 100644 --- a/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go +++ b/x/pki/keeper/msg_server_remove_noc_x_509_ica_cert.go @@ -59,7 +59,7 @@ func (k msgServer) RemoveNocX509IcaCert(goCtx context.Context, msg *types.MsgRem SubjectKeyId: msg.SubjectKeyId, } - if msg.SerialNumber != "" { + if msg.SerialNumber != "" { //nolint:nestif certBySerialNumber, found := FindCertificateInList(msg.SerialNumber, &certificates) if !found { return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist(msg.Subject, msg.SubjectKeyId, msg.SerialNumber) @@ -80,6 +80,12 @@ func (k msgServer) RemoveNocX509IcaCert(goCtx context.Context, msg *types.MsgRem certBySerialNumber.Issuer, false, ) + if len(icaCerts.Certs) == 0 { + k.RemoveChildCertificate(ctx, certBySerialNumber.Issuer, certBySerialNumber.AuthorityKeyId, types.CertificateIdentifier{ + Subject: icaCerts.Subject, + SubjectKeyId: icaCerts.SubjectKeyId, + }) + } } if foundRevoked { @@ -91,6 +97,8 @@ func (k msgServer) RemoveNocX509IcaCert(goCtx context.Context, msg *types.MsgRem k.RemoveRevokedNocIcaCertificates(ctx, certID.Subject, certID.SubjectKeyId) // remove from noc certificates map k.RemoveNocCertificate(ctx, cert.Subject, cert.SubjectKeyId, accountVid, false) + // Remove certificate identifier from issuer's ChildCertificates record + k.RemoveChildCertificate(ctx, certificates[0].Issuer, certificates[0].AuthorityKeyId, certID) // remove from subject with serialNumber map for _, cert := range certificates { k.RemoveUniqueCertificate(ctx, cert.Issuer, cert.SerialNumber) diff --git a/x/pki/keeper/msg_server_remove_x_509_cert.go b/x/pki/keeper/msg_server_remove_x_509_cert.go index 9a3b592fc..d1bf40047 100644 --- a/x/pki/keeper/msg_server_remove_x_509_cert.go +++ b/x/pki/keeper/msg_server_remove_x_509_cert.go @@ -44,7 +44,7 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50 return nil, err } - if msg.SerialNumber != "" { + if msg.SerialNumber != "" { //nolint:nestif certBySerialNumber, found := FindCertificateInList(msg.SerialNumber, &certificates) if !found { return nil, pkitypes.NewErrCertificateBySerialNumberDoesNotExist(msg.Subject, msg.SubjectKeyId, msg.SerialNumber) @@ -63,16 +63,28 @@ func (k msgServer) RemoveX509Cert(goCtx context.Context, msg *types.MsgRemoveX50 certBySerialNumber.Issuer, false, ) + if len(aprCerts.Certs) == 0 { + k.RemoveChildCertificate(ctx, certBySerialNumber.Issuer, certBySerialNumber.AuthorityKeyId, types.CertificateIdentifier{ + Subject: aprCerts.Subject, + SubjectKeyId: aprCerts.SubjectKeyId, + }) + } } if foundRevoked { RemoveCertFromList(certBySerialNumber.Issuer, certBySerialNumber.SerialNumber, &revCerts.Certs) k.removeOrUpdateRevokedX509Cert(ctx, msg.Subject, msg.SubjectKeyId, &revCerts) } } else { - // remove from noc certificates map + certIdentifier := types.CertificateIdentifier{ + Subject: msg.Subject, + SubjectKeyId: msg.SubjectKeyId, + } + // remove from da certificates map k.RemoveDaCertificate(ctx, msg.Subject, msg.SubjectKeyId, false) // remove from revoked list k.RemoveRevokedCertificates(ctx, msg.Subject, msg.SubjectKeyId) + // Remove certificate identifier from issuer's ChildCertificates record + k.RemoveChildCertificate(ctx, certificates[0].Issuer, certificates[0].AuthorityKeyId, certIdentifier) // remove from subject with serialNumber map for _, cert := range certificates { k.RemoveUniqueCertificate(ctx, cert.Issuer, cert.SerialNumber) diff --git a/x/pki/keeper/proposed_certificate.go b/x/pki/keeper/proposed_certificate.go index 8d48ac46b..8f6e7245b 100644 --- a/x/pki/keeper/proposed_certificate.go +++ b/x/pki/keeper/proposed_certificate.go @@ -67,8 +67,7 @@ func (k Keeper) GetAllProposedCertificate(ctx sdk.Context) (list []types.Propose return } -// Check if the Proposed Certificate record associated with a -// Subject/SubjectKeyID combination is present in the store. +// IsProposedCertificatePresent Check if the Proposed Certificate record associated with a Subject/SubjectKeyID combination is present in the store. func (k Keeper) IsProposedCertificatePresent( ctx sdk.Context, subject string, diff --git a/x/pki/keeper/revoked_noc_ica_certificates.go b/x/pki/keeper/revoked_noc_ica_certificates.go index dc9578a02..f9bbddf8a 100644 --- a/x/pki/keeper/revoked_noc_ica_certificates.go +++ b/x/pki/keeper/revoked_noc_ica_certificates.go @@ -97,3 +97,17 @@ func (k Keeper) GetAllRevokedNocIcaCertificates(ctx sdk.Context) (list []types.R return } + +// IsRevokedNocIcaCertificatePresent Check if the Revoked Noc ICA Certificate record associated with a Subject/SubjectKeyID combination is present in the store. +func (k Keeper) IsRevokedNocIcaCertificatePresent( + ctx sdk.Context, + subject string, + subjectKeyID string, +) bool { + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RevokedNocIcaCertificatesKeyPrefix)) + + return store.Has(types.RevokedNocIcaCertificatesKey( + subject, + subjectKeyID, + )) +} diff --git a/x/pki/keeper/revoked_noc_root_certificates.go b/x/pki/keeper/revoked_noc_root_certificates.go index 4bb8a9f47..ed0b97a73 100644 --- a/x/pki/keeper/revoked_noc_root_certificates.go +++ b/x/pki/keeper/revoked_noc_root_certificates.go @@ -97,3 +97,17 @@ func (k Keeper) GetAllRevokedNocRootCertificates(ctx sdk.Context) (list []types. return } + +// IsRevokedNocRootCertificatePresent Check if the Revoked Noc Root Certificate record associated with a Subject/SubjectKeyID combination is present in the store. +func (k Keeper) IsRevokedNocRootCertificatePresent( + ctx sdk.Context, + subject string, + subjectKeyID string, +) bool { + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RevokedNocRootCertificatesKeyPrefix)) + + return store.Has(types.RevokedNocRootCertificatesKey( + subject, + subjectKeyID, + )) +} diff --git a/x/pki/tests/handler_add_noc_ica_cert_test.go b/x/pki/tests/handler_add_noc_ica_cert_test.go index 579178fa8..c17b70b22 100644 --- a/x/pki/tests/handler_add_noc_ica_cert_test.go +++ b/x/pki/tests/handler_add_noc_ica_cert_test.go @@ -27,6 +27,7 @@ func TestHandler_AddNocX509Cert_AddNewIca(t *testing.T) { // add NOC ICA certificate addNocIcaCertificate(setup, accAddress, testconstants.NocCert1) + // Check: Noc + All + UniqueCertificate ensureNocIcaCertificateExist( t, setup, diff --git a/x/pki/tests/handler_add_noc_root_cert_test.go b/x/pki/tests/handler_add_noc_root_cert_test.go index 57c8d49fa..5bcbe4b08 100644 --- a/x/pki/tests/handler_add_noc_root_cert_test.go +++ b/x/pki/tests/handler_add_noc_root_cert_test.go @@ -23,6 +23,7 @@ func TestHandler_AddNocX509Cert_AddNewRoot(t *testing.T) { // add NOC root certificate addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) + // Check: Noc + All + UniqueCertificate ensureNocRootCertificateExist( t, setup, diff --git a/x/pki/tests/handler_remove_noc_ica_cert_test.go b/x/pki/tests/handler_remove_noc_ica_cert_test.go index 56574b9f6..ce554898b 100644 --- a/x/pki/tests/handler_remove_noc_ica_cert_test.go +++ b/x/pki/tests/handler_remove_noc_ica_cert_test.go @@ -15,6 +15,63 @@ import ( // Main +func TestHandler_RemoveNocX509IcaCert(t *testing.T) { + setup := Setup(t) + + // Add vendor account + vid := testconstants.Vid + vendorAccAddress := GenerateAccAddress() + setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + + // add NOC root certificate + addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + + // add intermediate certificate + addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + + // remove intermediate certificate + removeIcaCert := types.NewMsgRemoveNocX509IcaCert( + vendorAccAddress.String(), + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + "", + ) + _, err := setup.Handler(setup.Ctx, removeIcaCert) + require.NoError(t, err) + + // Check: Noc - missing + ensureCertificateNotPresentInNocCertificateIndexes( + t, + setup, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + testconstants.Vid, + false, + false, + ) + + // Check: All - missing + ensureCertificateNotPresentInGlobalCertificateIndexes( + t, + setup, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + false, + ) + + // Check: UniqueCertificate - missing + found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocCert1Issuer, testconstants.NocCert1SerialNumber) + require.False(t, found) + + // Check: RevokedCertificates (ica) - missing + found = setup.Keeper.IsRevokedNocIcaCertificatePresent(setup.Ctx, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) + require.False(t, found) + + // Check: child certificate - missing + found = setup.Keeper.IsChildCertificatePresent(setup.Ctx, testconstants.NocCert1Issuer, testconstants.NocCert1AuthorityKeyID) + require.False(t, found) +} + func TestHandler_RemoveNocX509IcaCert_BySubjectAndSKID(t *testing.T) { setup := Setup(t) diff --git a/x/pki/tests/handler_remove_noc_root_cert_test.go b/x/pki/tests/handler_remove_noc_root_cert_test.go index d68803ef9..b1eaa467a 100644 --- a/x/pki/tests/handler_remove_noc_root_cert_test.go +++ b/x/pki/tests/handler_remove_noc_root_cert_test.go @@ -15,6 +15,56 @@ import ( // Main +func TestHandler_RemoveNocX509RootCert(t *testing.T) { + setup := Setup(t) + + // Add vendor account + vid := testconstants.Vid + vendorAccAddress := GenerateAccAddress() + setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + + // add NOC root certificates + addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) + + // remove noc root certificate + removeIcaCert := types.NewMsgRemoveNocX509RootCert( + vendorAccAddress.String(), + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + "", + ) + _, err := setup.Handler(setup.Ctx, removeIcaCert) + require.NoError(t, err) + + // Check: Noc - missing + ensureCertificateNotPresentInNocCertificateIndexes( + t, + setup, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + testconstants.Vid, + true, + false, + ) + + // Check: All - missing + ensureCertificateNotPresentInGlobalCertificateIndexes( + t, + setup, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + false, + ) + + // Check: UniqueCertificate - missing + found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1Issuer, testconstants.NocRootCert1SerialNumber) + require.False(t, found) + + // Check: RevokedCertificates (root) - missing + found = setup.Keeper.IsRevokedNocRootCertificatePresent(setup.Ctx, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) + require.False(t, found) +} + func TestHandler_RemoveNocX509RootCert_BySubjectAndSKID(t *testing.T) { setup := Setup(t) diff --git a/x/pki/tests/handler_remove_pai_cert_test.go b/x/pki/tests/handler_remove_pai_cert_test.go index 1c06c0c11..dbe061397 100644 --- a/x/pki/tests/handler_remove_pai_cert_test.go +++ b/x/pki/tests/handler_remove_pai_cert_test.go @@ -32,6 +32,89 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { } proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + // Add intermediate certificates + addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) + + // Remove intermediate certificate + removeX509Cert := types.NewMsgRemoveX509Cert( + vendorAccAddress.String(), + testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, + testconstants.IntermediateCertWithSameSubjectAndSKIDSubjectKeyID, + "", + ) + _, err := setup.Handler(setup.Ctx, removeX509Cert) + require.NoError(t, err) + + // Check: only one certificate exists + allCerts, _ := queryAllApprovedCertificates(setup) + require.Equal(t, 1, len(allCerts)) + + // Check: UniqueCertificate - missing + found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber) + require.False(t, found) + + // Check: RevokedCertificates - missing + found = setup.Keeper.IsProposedCertificatePresent(setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID) + require.False(t, found) + + // Check: ProposedCertificateRevocation - missing + found = setup.Keeper.IsProposedCertificateRevocationPresent( + setup.Ctx, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + testconstants.IntermediateSerialNumber, + ) + require.False(t, found) + + // Check: All - missing + ensureCertificateNotPresentInGlobalCertificateIndexes( + t, + setup, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + false, + ) + + // Check: DA - missing + ensureCertificateNotPresentInDaCertificateIndexes( + t, + setup, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + false, + ) + + // Check: child certificate - missing + found = setup.Keeper.IsChildCertificatePresent(setup.Ctx, testconstants.IntermediateIssuer, testconstants.IntermediateAuthorityKeyID) + require.False(t, found) + + // Check: root exists + ensureDaPaaCertificateExist( + t, + setup, + testconstants.RootCertWithSameSubjectAndSKIDSubject, + testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, + testconstants.RootCertWithSameSubjectAndSKIDSubject, + testconstants.RootCertWithSameSubjectAndSKID1SerialNumber) +} + +func TestHandler_RemoveX509Cert_BySubjectAndSKID_TwoCerts(t *testing.T) { + setup := Setup(t) + + // Add vendor account + vendorAccAddress := GenerateAccAddress() + setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.RootCertWithVidVid) + + // propose and approve x509 root certificate + rootCertOptions := &rootCertOptions{ + pemCert: testconstants.RootCertWithSameSubjectAndSKID1, + subject: testconstants.RootCertWithSameSubjectAndSKIDSubject, + subjectKeyID: testconstants.RootCertWithSameSubjectAndSKIDSubjectKeyID, + info: testconstants.Info, + vid: testconstants.RootCertWithVidVid, + } + proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) + // Add two intermediate certificates addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID2) @@ -101,7 +184,7 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { testconstants.RootCertWithSameSubjectAndSKID1SerialNumber) } -func TestHandler_RemoveX509Cert_BySerialNumber(t *testing.T) { +func TestHandler_RemoveX509Cert_BySerialNumber_TwoCerts(t *testing.T) { setup := Setup(t) // Add vendor account diff --git a/x/pki/tests/handler_revoke_noc_ica_cert_test.go b/x/pki/tests/handler_revoke_noc_ica_cert_test.go index 6fb93d96a..334f4761d 100644 --- a/x/pki/tests/handler_revoke_noc_ica_cert_test.go +++ b/x/pki/tests/handler_revoke_noc_ica_cert_test.go @@ -16,6 +16,67 @@ import ( // Main +func TestHandler_RevokeNocX509Cert(t *testing.T) { + setup := Setup(t) + + accAddress := GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + + // add the first NOC root certificate + addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) + + // add the NOC non-root certificate + addNocIcaCertificate(setup, accAddress, testconstants.NocCert1) + + // Revoke NOC with subject and subject key id only + revokeCert := types.NewMsgRevokeNocX509IcaCert( + accAddress.String(), + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + "", + testconstants.Info, + false, + ) + _, err := setup.Handler(setup.Ctx, revokeCert) + require.NoError(t, err) + + // Check: Noc - missing + ensureCertificateNotPresentInNocCertificateIndexes( + t, + setup, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + testconstants.Vid, + false, + false, + ) + + // Check: All - missing + ensureCertificateNotPresentInGlobalCertificateIndexes( + t, + setup, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + false, + ) + + // Check: UniqueCertificate - present + found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocCert1Issuer, testconstants.NocCert1SerialNumber) + require.True(t, found) + + // Check: RevokedCertificates (ica) - present + found = setup.Keeper.IsRevokedNocIcaCertificatePresent(setup.Ctx, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) + require.True(t, found) + + // Check: RevokedCertificates (root) - missing + found = setup.Keeper.IsRevokedNocRootCertificatePresent(setup.Ctx, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) + require.False(t, found) + + // Check: child certificate - missing + found = setup.Keeper.IsChildCertificatePresent(setup.Ctx, testconstants.NocCert1Issuer, testconstants.NocCert1AuthorityKeyID) + require.False(t, found) +} + func TestHandler_RevokeNocX509Cert_RevokeDefault(t *testing.T) { setup := Setup(t) diff --git a/x/pki/tests/handler_revoke_noc_root_cert_test.go b/x/pki/tests/handler_revoke_noc_root_cert_test.go index 48eb7bf27..28d58c8af 100644 --- a/x/pki/tests/handler_revoke_noc_root_cert_test.go +++ b/x/pki/tests/handler_revoke_noc_root_cert_test.go @@ -14,148 +14,62 @@ import ( "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki/types" ) -func TestHandler_RevokeNocX509RootCert_SenderNotVendor(t *testing.T) { +// Main + +func TestHandler_RevokeNocX509RootCert(t *testing.T) { setup := Setup(t) accAddress := GenerateAccAddress() setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - // add the new NOC root certificate + // add the first NOC root certificate addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addNocX509RootCert) require.NoError(t, err) + // Revoke NOC root with subject and subject key id only revokeCert := types.NewMsgRevokeNocX509RootCert( - setup.Trustee1.String(), + accAddress.String(), testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, "", + testconstants.Info, false, ) _, err = setup.Handler(setup.Ctx, revokeCert) + require.NoError(t, err) - require.Error(t, err) - require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) -} - -func TestHandler_RevokeNocX509RootCert_CertificateDoesNotExist(t *testing.T) { - setup := Setup(t) - - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) - - revokeCert := types.NewMsgRevokeNocX509RootCert( - accAddress.String(), + // Check: Noc - missing + ensureCertificateNotPresentInNocCertificateIndexes( + t, + setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, - "", + testconstants.Vid, + true, false, ) - _, err := setup.Handler(setup.Ctx, revokeCert) - require.Error(t, err) - require.ErrorIs(t, err, pkitypes.ErrCertificateDoesNotExist) -} - -func TestHandler_RevokeNocX509RootCert_CertificateExists(t *testing.T) { - accAddress := GenerateAccAddress() - - cases := []struct { - name string - existingCert *types.Certificate - nocRoorCert string - err error - }{ - { - name: "ExistingNonRootCert", - existingCert: &types.Certificate{ - Issuer: testconstants.NocRootCert1Subject, - Subject: testconstants.NocRootCert1Subject, - SubjectAsText: testconstants.NocRootCert1SubjectAsText, - SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, - SerialNumber: testconstants.NocRootCert1SerialNumber, - IsRoot: false, - CertificateType: types.CertificateType_OperationalPKI, - Vid: testconstants.Vid, - }, - nocRoorCert: testconstants.RootCertPem, - err: pkitypes.ErrInappropriateCertificateType, - }, - { - name: "ExistingNotNocCert", - existingCert: &types.Certificate{ - Issuer: testconstants.NocRootCert1Subject, - Subject: testconstants.NocRootCert1Subject, - SubjectAsText: testconstants.NocRootCert1SubjectAsText, - SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, - SerialNumber: testconstants.NocRootCert1SerialNumber, - IsRoot: true, - CertificateType: types.CertificateType_DeviceAttestationPKI, - Vid: testconstants.Vid, - }, - nocRoorCert: testconstants.RootCertPem, - err: pkitypes.ErrInappropriateCertificateType, - }, - { - name: "ExistingCertWithDifferentVid", - existingCert: &types.Certificate{ - Issuer: testconstants.NocRootCert1Subject, - Subject: testconstants.NocRootCert1Subject, - SubjectAsText: testconstants.NocRootCert1SubjectAsText, - SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, - SerialNumber: testconstants.NocRootCert1SerialNumber, - IsRoot: true, - CertificateType: types.CertificateType_OperationalPKI, - Vid: testconstants.VendorID1, - }, - nocRoorCert: testconstants.RootCertPem, - err: pkitypes.ErrCertVidNotEqualAccountVid, - }, - { - name: "ExistingCertWithDifferentSerialNumber", - existingCert: &types.Certificate{ - Issuer: testconstants.NocRootCert1Subject, - Subject: testconstants.NocRootCert1Subject, - SubjectAsText: testconstants.NocRootCert1SubjectAsText, - SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, - SerialNumber: "1234567", - IsRoot: true, - CertificateType: types.CertificateType_OperationalPKI, - Vid: testconstants.Vid, - }, - nocRoorCert: testconstants.RootCertPem, - err: pkitypes.ErrCertificateDoesNotExist, - }, - } + // Check: All - missing + ensureCertificateNotPresentInGlobalCertificateIndexes( + t, + setup, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + false, + ) - for _, tc := range cases { - t.Run(tc.name, func(t *testing.T) { - setup := Setup(t) - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + // Check: UniqueCertificate - present + found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1Issuer, testconstants.NocRootCert1SerialNumber) + require.True(t, found) - // add the existing certificate - setup.Keeper.AddNocCertificate(setup.Ctx, *tc.existingCert) - uniqueCertificate := types.UniqueCertificate{ - Issuer: tc.existingCert.Issuer, - SerialNumber: tc.existingCert.SerialNumber, - Present: true, - } - setup.Keeper.SetUniqueCertificate(setup.Ctx, uniqueCertificate) + // Check: RevokedCertificates (root) - present + found = setup.Keeper.IsRevokedNocRootCertificatePresent(setup.Ctx, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) + require.True(t, found) - revokeCert := types.NewMsgRevokeNocX509RootCert( - accAddress.String(), - testconstants.NocRootCert1Subject, - testconstants.NocRootCert1SubjectKeyID, - testconstants.NocRootCert1SerialNumber, - "", - false, - ) - _, err := setup.Handler(setup.Ctx, revokeCert) - require.ErrorIs(t, err, tc.err) - }) - } + // Check: RevokedCertificates (ica) - missing + found = setup.Keeper.IsRevokedNocIcaCertificatePresent(setup.Ctx, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) + require.False(t, found) } func TestHandler_RevokeNocX509RootCert_RevokeDefault(t *testing.T) { @@ -551,3 +465,151 @@ func TestHandler_RevokeNocX509RootCert_RevokeWithSerialNumberAndChild(t *testing require.False(t, setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocCert1, testconstants.NocCert1SerialNumber)) } + +// Extra cases + +// Error cases + +func TestHandler_RevokeNocX509RootCert_SenderNotVendor(t *testing.T) { + setup := Setup(t) + + accAddress := GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + + // add the new NOC root certificate + addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) + _, err := setup.Handler(setup.Ctx, addNocX509RootCert) + require.NoError(t, err) + + revokeCert := types.NewMsgRevokeNocX509RootCert( + setup.Trustee1.String(), + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + testconstants.NocRootCert1SerialNumber, + "", + false, + ) + _, err = setup.Handler(setup.Ctx, revokeCert) + + require.Error(t, err) + require.ErrorIs(t, err, sdkerrors.ErrUnauthorized) +} + +func TestHandler_RevokeNocX509RootCert_CertificateDoesNotExist(t *testing.T) { + setup := Setup(t) + + accAddress := GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + + revokeCert := types.NewMsgRevokeNocX509RootCert( + accAddress.String(), + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + testconstants.NocRootCert1SerialNumber, + "", + false, + ) + _, err := setup.Handler(setup.Ctx, revokeCert) + + require.Error(t, err) + require.ErrorIs(t, err, pkitypes.ErrCertificateDoesNotExist) +} + +func TestHandler_RevokeNocX509RootCert_CertificateExists(t *testing.T) { + accAddress := GenerateAccAddress() + + cases := []struct { + name string + existingCert *types.Certificate + nocRoorCert string + err error + }{ + { + name: "ExistingNonRootCert", + existingCert: &types.Certificate{ + Issuer: testconstants.NocRootCert1Subject, + Subject: testconstants.NocRootCert1Subject, + SubjectAsText: testconstants.NocRootCert1SubjectAsText, + SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, + SerialNumber: testconstants.NocRootCert1SerialNumber, + IsRoot: false, + CertificateType: types.CertificateType_OperationalPKI, + Vid: testconstants.Vid, + }, + nocRoorCert: testconstants.RootCertPem, + err: pkitypes.ErrInappropriateCertificateType, + }, + { + name: "ExistingNotNocCert", + existingCert: &types.Certificate{ + Issuer: testconstants.NocRootCert1Subject, + Subject: testconstants.NocRootCert1Subject, + SubjectAsText: testconstants.NocRootCert1SubjectAsText, + SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, + SerialNumber: testconstants.NocRootCert1SerialNumber, + IsRoot: true, + CertificateType: types.CertificateType_DeviceAttestationPKI, + Vid: testconstants.Vid, + }, + nocRoorCert: testconstants.RootCertPem, + err: pkitypes.ErrInappropriateCertificateType, + }, + { + name: "ExistingCertWithDifferentVid", + existingCert: &types.Certificate{ + Issuer: testconstants.NocRootCert1Subject, + Subject: testconstants.NocRootCert1Subject, + SubjectAsText: testconstants.NocRootCert1SubjectAsText, + SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, + SerialNumber: testconstants.NocRootCert1SerialNumber, + IsRoot: true, + CertificateType: types.CertificateType_OperationalPKI, + Vid: testconstants.VendorID1, + }, + nocRoorCert: testconstants.RootCertPem, + err: pkitypes.ErrCertVidNotEqualAccountVid, + }, + { + name: "ExistingCertWithDifferentSerialNumber", + existingCert: &types.Certificate{ + Issuer: testconstants.NocRootCert1Subject, + Subject: testconstants.NocRootCert1Subject, + SubjectAsText: testconstants.NocRootCert1SubjectAsText, + SubjectKeyId: testconstants.NocRootCert1SubjectKeyID, + SerialNumber: "1234567", + IsRoot: true, + CertificateType: types.CertificateType_OperationalPKI, + Vid: testconstants.Vid, + }, + nocRoorCert: testconstants.RootCertPem, + err: pkitypes.ErrCertificateDoesNotExist, + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + setup := Setup(t) + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + + // add the existing certificate + setup.Keeper.AddNocCertificate(setup.Ctx, *tc.existingCert) + uniqueCertificate := types.UniqueCertificate{ + Issuer: tc.existingCert.Issuer, + SerialNumber: tc.existingCert.SerialNumber, + Present: true, + } + setup.Keeper.SetUniqueCertificate(setup.Ctx, uniqueCertificate) + + revokeCert := types.NewMsgRevokeNocX509RootCert( + accAddress.String(), + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + testconstants.NocRootCert1SerialNumber, + "", + false, + ) + _, err := setup.Handler(setup.Ctx, revokeCert) + require.ErrorIs(t, err, tc.err) + }) + } +} diff --git a/x/pki/tests/handler_revoke_paa_cert_test.go b/x/pki/tests/handler_revoke_paa_cert_test.go index a24113057..88b7309bf 100644 --- a/x/pki/tests/handler_revoke_paa_cert_test.go +++ b/x/pki/tests/handler_revoke_paa_cert_test.go @@ -31,24 +31,24 @@ func TestHandler_ProposeRevokeX509RootCert_ByTrusteeOwner(t *testing.T) { _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) - // query and check proposed certificate revocation + // Check: ProposedCertificateRevocation - present proposedRevocation, _ := queryProposedCertificateRevocation(setup, testconstants.RootSerialNumber) require.Equal(t, testconstants.RootSubject, proposedRevocation.Subject) require.Equal(t, testconstants.RootSubjectKeyID, proposedRevocation.SubjectKeyId) require.True(t, proposedRevocation.HasRevocationFrom(setup.Trustee1.String())) - // check that approved certificate still exists - certificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NotNil(t, certificate) + // Check: DA + All + UniqueCertificate + ensureDaPaaCertificateExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootIssuer, + testconstants.RootSerialNumber) // check that revoked certificate does not exist - _, err = queryRevokedCertificates(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that unique certificate key stays registered - require.True(t, - setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) + require.False(t, setup.Keeper.IsRevokedCertificatePresent( + setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) } func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing.T) { @@ -101,10 +101,13 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. require.NoError(t, err) // check that the certificate is still not revoked - approvedCertificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Equal(t, testconstants.RootIssuer, approvedCertificate.Subject) - require.Equal(t, testconstants.RootSerialNumber, approvedCertificate.SerialNumber) - require.True(t, approvedCertificate.IsRoot) + ensureDaPaaCertificateExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootIssuer, + testconstants.RootSerialNumber) } // One more revoke will revoke the certificate @@ -113,17 +116,38 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) require.NoError(t, err) - // Check that the certificate is revoked - ensureDaPaaCertificateDoesNotExist( + // Check: DA - missing + ensureCertificateNotPresentInDaCertificateIndexes( t, setup, testconstants.RootSubject, testconstants.RootSubjectKeyID, - testconstants.RootIssuer, + false, + ) + + // Check: All - missing + ensureCertificateNotPresentInGlobalCertificateIndexes( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + false, + ) + + // Check: ProposedCertificateRevocation - missing + found := setup.Keeper.IsProposedCertificateRevocationPresent( + setup.Ctx, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, - true) + ) + require.False(t, found) + + // Check: UniqueCertificate - present + found = setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber) + require.True(t, found) - // Check that the certificate is revoked + // Check: Revoked - present revokedCertificate, err := querySingleRevokedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) require.NoError(t, err) require.Equal(t, testconstants.RootIssuer, revokedCertificate.Subject) diff --git a/x/pki/tests/handler_revoke_pai_cert_test.go b/x/pki/tests/handler_revoke_pai_cert_test.go index 14d456270..5d8c2362e 100644 --- a/x/pki/tests/handler_revoke_pai_cert_test.go +++ b/x/pki/tests/handler_revoke_pai_cert_test.go @@ -32,7 +32,7 @@ func TestHandler_RevokeX509Cert(t *testing.T) { } proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - // Add two intermediate certificates again + // Add intermediate certificate addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) // revoke x509 certificate @@ -47,24 +47,49 @@ func TestHandler_RevokeX509Cert(t *testing.T) { _, err := setup.Handler(setup.Ctx, revokeX509Cert) require.NoError(t, err) - // check that intermediate certificate has been revoked + // Check: Revoked - present allRevokedCertificates, _ := queryAllRevokedCertificates(setup) require.Equal(t, 1, len(allRevokedCertificates)) require.Equal(t, testconstants.IntermediateSubject, allRevokedCertificates[0].Subject) require.Equal(t, testconstants.IntermediateSubjectKeyID, allRevokedCertificates[0].SubjectKeyId) require.Equal(t, 1, len(allRevokedCertificates[0].Certs)) - ensureDaPaiCertificateDoesNotExist( + // Check: UniqueCertificate - present + found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber) + require.True(t, found) + + // Check: ProposedCertificateRevocation - missing + found = setup.Keeper.IsProposedCertificateRevocationPresent( + setup.Ctx, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + testconstants.IntermediateSerialNumber, + ) + require.False(t, found) + + // Check: All - missing + ensureCertificateNotPresentInGlobalCertificateIndexes( t, setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, - testconstants.IntermediateIssuer, - testconstants.IntermediateSerialNumber, - true, - false) + false, + ) - // check that root certificate stays approved + // Check: DA - missing + ensureCertificateNotPresentInDaCertificateIndexes( + t, + setup, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + false, + ) + + // Check: child certificate - missing + found = setup.Keeper.IsChildCertificatePresent(setup.Ctx, testconstants.IntermediateIssuer, testconstants.IntermediateAuthorityKeyID) + require.False(t, found) + + // Check: Root stays approved ensureDaPaaCertificateExist( t, setup, @@ -72,20 +97,6 @@ func TestHandler_RevokeX509Cert(t *testing.T) { testconstants.RootSubjectKeyID, testconstants.RootSubject, testconstants.RootSerialNumber) - - // check that no proposed certificate revocations have been created - allProposedCertificateRevocations, _ := queryAllProposedCertificateRevocations(setup) - require.NoError(t, err) - require.Equal(t, 0, len(allProposedCertificateRevocations)) - - // check that child certificate identifiers list of issuer do not exist anymore - _, err = queryChildCertificates(setup, testconstants.IntermediateIssuer, testconstants.IntermediateAuthorityKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) - - // check that unique certificate key stays registered - require.True(t, setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, - testconstants.IntermediateIssuer, testconstants.IntermediateSerialNumber)) } func TestHandler_RevokeX509Cert_ForTree(t *testing.T) { diff --git a/x/pki/tests/handler_test.go b/x/pki/tests/handler_test.go index 3a52dfb88..37c59f58b 100644 --- a/x/pki/tests/handler_test.go +++ b/x/pki/tests/handler_test.go @@ -2,16 +2,16 @@ package tests import ( "context" - "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki" "testing" - "google.golang.org/grpc/codes" - "google.golang.org/grpc/status" - "github.com/cosmos/cosmos-sdk/testutil/testdata" sdk "github.com/cosmos/cosmos-sdk/types" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" + "github.com/zigbee-alliance/distributed-compliance-ledger/x/pki" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + testconstants "github.com/zigbee-alliance/distributed-compliance-ledger/integration_tests/constants" testkeeper "github.com/zigbee-alliance/distributed-compliance-ledger/testutil/keeper" dclauthtypes "github.com/zigbee-alliance/distributed-compliance-ledger/x/dclauth/types" @@ -276,6 +276,23 @@ func querySingleApprovedCertificate( return certificates.Certs[0], nil } +func querySingleApprovedRootCertificate( + setup *TestSetup, + subject string, + subjectKeyID string, +) (*types.Certificate, error) { + certificates, err := queryApprovedRootCertificates(setup, subject, subjectKeyID) + if err != nil { + return nil, err + } + + if len(certificates) > 1 { + require.Fail(setup.T, "More than 1 certificate returned") + } + + return certificates[0], nil +} + func queryApprovedCertificates( setup *TestSetup, subject string, @@ -979,6 +996,15 @@ func ensureCertificatePresentInDaCertificateIndexes( require.Equal(t, serialNumber, approvedCertificate.SerialNumber) require.Equal(t, isRoot, approvedCertificate.IsRoot) + if isRoot { + // DaCertificates: Root Subject and SKID + approvedRootCertificate, _ := querySingleApprovedRootCertificate(setup, subject, subjectKeyID) + require.Equal(t, subject, approvedRootCertificate.Subject) + require.Equal(t, subjectKeyID, approvedRootCertificate.SubjectKeyId) + require.Equal(t, serialNumber, approvedRootCertificate.SerialNumber) + require.Equal(t, isRoot, approvedRootCertificate.IsRoot) + } + // DaCertificates: SKID certificateBySubjectKeyID, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, subjectKeyID) require.Len(t, certificateBySubjectKeyID, 1) diff --git a/x/pki/tests/test-design.md b/x/pki/tests/test-design.md new file mode 100644 index 000000000..748cc479b --- /dev/null +++ b/x/pki/tests/test-design.md @@ -0,0 +1,180 @@ +### [Add DA Root](./handler_add_paa_cert_test.go) + +* Propose adding of DA root certificate: + * Indexes to check: + * Present: + * `ProposedCertificate` + * `UniqueCertificate` + * Missing: + * `RejectedCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject + * Tests: + * `TestHandler_ProposeAddX509RootCert_ByTrustee` +* Propose add approve adding of DA root certificate: + * Indexes: + * Present: + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject + * Missing: + * `ProposedCertificate` + * Tests: + * `TestHandler_ApproveAddX509RootCert_ForEnoughApprovals` + * `TestHandler_TwoThirdApprovalsNeededForAddingRootCertification` + * `TestHandler_ApproveX509RootCert_FourApprovalsAreNeeded_FiveTrustees` + +### [Add DA Intermediate](./handler_add_pai_cert_test.go) + +* Add DA intermediate certificate: + * Indexes to check: + * Present: + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), SKID, Subject + * `ChildCertificates`: for parent + * Missing: + * `ProposedCertificate` + * Tests: + * `TestHandler_AddX509Cert` + +### [Revoke DA Root](./handler_revoke_paa_cert_test.go) + +* Propose revocation of DA root certificate: + * Indexes to check: + * Present: + * `ProposedCertificateRevocation` + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject + * Missing: + * `RevokedCertificates` + * Tests: + * `TestHandler_ProposeRevokeX509RootCert_ByTrusteeOwner` +* Propose and approve revocation of DA root certificate: + * Indexes: + * Present: + * `RevokedCertificates` + * `UniqueCertificate` + * Missing: + * `ProposedCertificateRevocation` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject + * Tests: + * `TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification` + +### [Revoke DA Intermediate](./handler_revoke_pai_cert_test.go) + +* Revoke DA intermediate certificate: + * Indexes to check: + * Present: + * `RevokedCertificates` + * `UniqueCertificate` + * Root - stays approved + * Missing: + * `ProposedCertificateRevocation` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), SKID, Subject + * `ChildCertificates`: for parent + * Tests: + * `TestHandler_RevokeX509Cert` + +### [Remove DA Intermediate](./handler_remove_pai_cert_test.go) + +* Remove DA intermediate certificate: + * Indexes to check: + * Present: + * - + * Missing: + * `RevokedCertificates` + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), SKID, Subject + * `ChildCertificates`: for parent + * Tests: + * `TestHandler_RemoveX509Cert_BySubjectAndSKID` + +### [Add Noc Root](./handler_add_noc_root_cert_test.go) + +* Add Noc root certificate: + * Indexes to check: + * Present: + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID + * Missing: + * - + * Tests: + * `TestHandler_AddNocX509Cert_AddNewRoot` + +### [Add Noc Intermediate](./handler_add_noc_ica_cert_test.go) + +* Add Noc intermediate certificate: + * Indexes to check: + * Present: + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID + * `ChildCertificates`: for parent + * Missing: + * - + * Tests: + * `TestHandler_AddNocX509Cert_AddNewIca` + +### [Revoke Noc Root](./handler_revoke_noc_root_cert_test.go) + +* Revoke Noc root certificate: + * Indexes: + * Present: + * `RevokedCertificates` (root) + * `UniqueCertificate` + * Missing: + * `RevokedCertificates` (ica) + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID + * Tests: + * `TestHandler_RevokeNocX509RootCert` + +### [Revoke Noc Ica](./handler_revoke_noc_ica_cert_test.go) + +* Revoke Noc ica certificate: + * Indexes: + * Present: + * `RevokedCertificates` (ica) + * `UniqueCertificate` + * Missing: + * `RevokedCertificates` (root) + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID + * `ChildCertificates`: for parent + * Tests: + * `TestHandler_RevokeNocX509Cert` + +### [Remove Noc Root](./handler_remove_noc_root_cert_test.go) + +* Remove Noc root certificate by Subject/SKID: + * Indexes to check: + * Present: + * - + * Missing: + * `RevokedCertificates` (root) + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID + * Tests: + * `TestHandler_RemoveNocX509RootCert` + +### [Remove Noc Root](./handler_remove_noc_ica_cert_test.go) + +* Remove Noc ica certificate by Subject/SKID: + * Indexes to check: + * Present: + * - + * Missing: + * `RevokedCertificates` (ica) + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID + * `ChildCertificates`: for parent + * Tests: + * `TestHandler_RemoveNocX509IcaCert` From a8b8d35755a95c716f20231a0d1ea848bedae0e9 Mon Sep 17 00:00:00 2001 From: "artem.ivanov" Date: Wed, 20 Nov 2024 22:40:31 +0300 Subject: [PATCH 5/8] Tests Refactoring --- x/pki/keeper/rejected_certificate.go | 14 ++ x/pki/tests/handler_add_noc_ica_cert_test.go | 32 ++- x/pki/tests/handler_add_noc_root_cert_test.go | 8 +- x/pki/tests/handler_add_paa_cert_test.go | 173 ++++++++++----- x/pki/tests/handler_add_pai_cert_test.go | 46 ++-- .../tests/handler_remove_noc_ica_cert_test.go | 73 ++++--- .../handler_remove_noc_root_cert_test.go | 50 +++-- x/pki/tests/handler_remove_pai_cert_test.go | 55 ++--- .../tests/handler_revoke_noc_ica_cert_test.go | 59 ++--- .../handler_revoke_noc_root_cert_test.go | 27 ++- x/pki/tests/handler_revoke_paa_cert_test.go | 78 +++++-- x/pki/tests/handler_revoke_pai_cert_test.go | 32 +-- x/pki/tests/handler_test.go | 202 ++++++++++-------- x/pki/tests/test-design.md | 33 +-- 14 files changed, 536 insertions(+), 346 deletions(-) diff --git a/x/pki/keeper/rejected_certificate.go b/x/pki/keeper/rejected_certificate.go index 3fd77aaf1..eaf3747d4 100644 --- a/x/pki/keeper/rejected_certificate.go +++ b/x/pki/keeper/rejected_certificate.go @@ -66,3 +66,17 @@ func (k Keeper) GetAllRejectedCertificate(ctx sdk.Context) (list []types.Rejecte return } + +// Check if the rejected certificate exists. +func (k Keeper) IsRejectedCertificatePresent( + ctx sdk.Context, + subject string, + subjectKeyID string, +) bool { + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RejectedCertificateKeyPrefix)) + + return store.Has(types.RejectedCertificateKey( + subject, + subjectKeyID, + )) +} diff --git a/x/pki/tests/handler_add_noc_ica_cert_test.go b/x/pki/tests/handler_add_noc_ica_cert_test.go index c17b70b22..482be236d 100644 --- a/x/pki/tests/handler_add_noc_ica_cert_test.go +++ b/x/pki/tests/handler_add_noc_ica_cert_test.go @@ -14,40 +14,38 @@ import ( // Main -func TestHandler_AddNocX509Cert_AddNewIca(t *testing.T) { +func TestHandler_AddNocIntermediateCert(t *testing.T) { setup := Setup(t) - accAddress := GenerateAccAddress() - vid := testconstants.Vid - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + accAddress := setup.CreateVendorAccount(testconstants.Vid) // add NOC root certificate addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) // add NOC ICA certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) // Check: Noc + All + UniqueCertificate - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID, testconstants.NocCert1Issuer, testconstants.NocCert1SerialNumber, - vid, - false) + testconstants.Vid, + false, + ) // ChildCertificates: check that child certificates of issuer contains certificate identifier - issuerChildren, _ := queryChildCertificates( - setup, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) - require.Equal(t, 1, len(issuerChildren.CertIds)) - require.Equal(t, - &types.CertificateIdentifier{ - Subject: testconstants.NocCert1Subject, - SubjectKeyId: testconstants.NocCert1SubjectKeyID, - }, - issuerChildren.CertIds[0]) + ensureChildCertificateExist( + t, + setup, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID, + ) } // Extra cases diff --git a/x/pki/tests/handler_add_noc_root_cert_test.go b/x/pki/tests/handler_add_noc_root_cert_test.go index 5bcbe4b08..46b78b1a4 100644 --- a/x/pki/tests/handler_add_noc_root_cert_test.go +++ b/x/pki/tests/handler_add_noc_root_cert_test.go @@ -13,12 +13,10 @@ import ( // Main -func TestHandler_AddNocX509Cert_AddNewRoot(t *testing.T) { +func TestHandler_AddNocRootCert(t *testing.T) { setup := Setup(t) - accAddress := GenerateAccAddress() - vid := testconstants.Vid - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + accAddress := setup.CreateVendorAccount(testconstants.Vid) // add NOC root certificate addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) @@ -31,7 +29,7 @@ func TestHandler_AddNocX509Cert_AddNewRoot(t *testing.T) { testconstants.NocRootCert1SubjectKeyID, testconstants.NocCert1Issuer, testconstants.NocRootCert1SerialNumber, - vid) + testconstants.Vid) } // Extra cases diff --git a/x/pki/tests/handler_add_paa_cert_test.go b/x/pki/tests/handler_add_paa_cert_test.go index fceeb998b..655fff616 100644 --- a/x/pki/tests/handler_add_paa_cert_test.go +++ b/x/pki/tests/handler_add_paa_cert_test.go @@ -18,15 +18,21 @@ import ( // Main -func TestHandler_ProposeAddX509RootCert_ByTrustee(t *testing.T) { +func TestHandler_ProposeAddDaRootCert(t *testing.T) { setup := Setup(t) - // propose x509 root certificate - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) + // propose DA root certificate + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + testconstants.RootCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion, + ) _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) require.NoError(t, err) - // query proposed certificate + // Check: ProposedCertificate - present proposedCertificate, _ := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) require.Equal(t, proposeAddX509RootCert.Cert, proposedCertificate.PemCert) require.Equal(t, proposeAddX509RootCert.Signer, proposedCertificate.Owner) @@ -35,43 +41,68 @@ func TestHandler_ProposeAddX509RootCert_ByTrustee(t *testing.T) { require.Equal(t, testconstants.RootSerialNumber, proposedCertificate.SerialNumber) require.True(t, proposedCertificate.HasApprovalFrom(proposeAddX509RootCert.Signer)) - // check that unique certificate key is registered + // Check: UniqueCertificate - present require.True(t, setup.Keeper.IsUniqueCertificatePresent( setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) - // query approved certificate - _, err = querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // Check: RejectedCertificate - empty + require.False(t, setup.Keeper.IsRejectedCertificatePresent( + setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) - // query approved certificate - _, err = querySingleCertificateFromAllCertificatesIndex(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // Check: Approved DA - empty + ensureCertificateNotPresentInDaCertificateIndexes( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + true, + false, + ) + + // Check: Global - empty + ensureGlobalCertificateNotExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + false, + ) } -func TestHandler_ApproveAddX509RootCert_ForEnoughApprovals(t *testing.T) { +func TestHandler_AddDaRootCert(t *testing.T) { setup := Setup(t) // propose add x509 root certificate by trustee - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + testconstants.RootCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion, + ) _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) require.NoError(t, err) // approve by second trustee approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) + setup.Trustee2.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info, + ) _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) - // DA proposed certificates indexes checks - // query proposed certificate must be empty - _, err = queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // Check: ProposedCertificate - empty + require.False(t, setup.Keeper.IsProposedCertificatePresent( + setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) + + // Check: UniqueCertificate - present + require.True(t, setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) - // Check that root certificate exists - ensureDaPaaCertificateExist( + // Check: DA + All + UniqueCertificate + ensureDaRootCertificateExist( t, setup, testconstants.RootSubject, @@ -80,11 +111,17 @@ func TestHandler_ApproveAddX509RootCert_ForEnoughApprovals(t *testing.T) { testconstants.RootSerialNumber) } -func TestHandler_TwoThirdApprovalsNeededForAddingRootCertification(t *testing.T) { +func TestHandler_AddDaRootCert_TwoThirdApprovalsNeeded(t *testing.T) { setup := Setup(t) // propose x509 root certificate by account without trustee role - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + testconstants.RootCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion, + ) _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) require.NoError(t, err) @@ -105,7 +142,11 @@ func TestHandler_TwoThirdApprovalsNeededForAddingRootCertification(t *testing.T) // Until we hit 2/3 of the total number of Trustees, we should not be able to approve the certificate for i := 1; i < twoThirds-1; i++ { approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( - trusteeAccounts[i].String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) + trusteeAccounts[i].String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info, + ) _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) @@ -120,16 +161,25 @@ func TestHandler_TwoThirdApprovalsNeededForAddingRootCertification(t *testing.T) _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) - // Check that root certificate exists - ensureDaPaaCertificateExist( + // Check: ProposedCertificate - empty + require.False(t, setup.Keeper.IsProposedCertificatePresent( + setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) + + // Check: UniqueCertificate - present + require.True(t, setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) + + // Check: DA + All + UniqueCertificate + ensureDaRootCertificateExist( t, setup, testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootIssuer, - testconstants.RootSerialNumber) + testconstants.RootSerialNumber, + ) - // query approved certificate and we should get one back + // Check: Approvals approvedCertificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) require.Equal(t, testconstants.RootIssuer, approvedCertificate.Subject) require.Equal(t, testconstants.RootSerialNumber, approvedCertificate.SerialNumber) @@ -142,7 +192,7 @@ func TestHandler_TwoThirdApprovalsNeededForAddingRootCertification(t *testing.T) require.Equal(t, approvedCertificate.HasApprovalFrom(setup.Trustee2.String()), true) } -func TestHandler_ApproveX509RootCert_FourApprovalsAreNeeded_FiveTrustees(t *testing.T) { +func TestHandler_AddDaRootCert_FourApprovalsAreNeeded_FiveTrustees(t *testing.T) { setup := Setup(t) // we have 5 trustees: 1 approval comes from propose => we need 3 more approvals @@ -156,43 +206,70 @@ func TestHandler_ApproveX509RootCert_FourApprovalsAreNeeded_FiveTrustees(t *test setup.AddAccount(fifthTrustee, []dclauthtypes.AccountRole{dclauthtypes.Trustee}, 1) // propose x509 root certificate by account Trustee1 - proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert(setup.Trustee1.String(), testconstants.RootCertPem, testconstants.Info, testconstants.Vid, testconstants.CertSchemaVersion) + proposeAddX509RootCert := types.NewMsgProposeAddX509RootCert( + setup.Trustee1.String(), + testconstants.RootCertPem, + testconstants.Info, + testconstants.Vid, + testconstants.CertSchemaVersion, + ) _, err := setup.Handler(setup.Ctx, proposeAddX509RootCert) require.NoError(t, err) // approve x509 root certificate by account Trustee2 - approveAddX509RootCert := types.NewMsgApproveAddX509RootCert(setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) + approveAddX509RootCert := types.NewMsgApproveAddX509RootCert( + setup.Trustee2.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info, + ) _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) // approve x509 root certificate by account Trustee3 - approveAddX509RootCert = types.NewMsgApproveAddX509RootCert(setup.Trustee3.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) + approveAddX509RootCert = types.NewMsgApproveAddX509RootCert( + setup.Trustee3.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info, + ) _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) // reject x509 root certificate by account Trustee4 - rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert(fourthTrustee.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) + rejectAddX509RootCert := types.NewMsgRejectAddX509RootCert( + fourthTrustee.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info, + ) _, err = setup.Handler(setup.Ctx, rejectAddX509RootCert) require.NoError(t, err) - // certificate should be in the entity , because we haven't enough approvals - proposedCertificate, err := queryProposedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NoError(t, err) - - // check proposed certificate - require.Equal(t, proposeAddX509RootCert.Cert, proposedCertificate.PemCert) - require.Equal(t, proposeAddX509RootCert.Signer, proposedCertificate.Owner) - require.Equal(t, testconstants.RootSubject, proposedCertificate.Subject) - require.Equal(t, testconstants.RootSubjectKeyID, proposedCertificate.SubjectKeyId) - require.Equal(t, testconstants.RootSerialNumber, proposedCertificate.SerialNumber) + // Check: ProposedCertificate - present because we haven't enough approvals + require.True(t, setup.Keeper.IsProposedCertificatePresent( + setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) // approve x509 root certificate by account Trustee5 - approveAddX509RootCert = types.NewMsgApproveAddX509RootCert(fifthTrustee.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.Info) + approveAddX509RootCert = types.NewMsgApproveAddX509RootCert( + fifthTrustee.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.Info, + ) _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) - // certificate should be in the entity , because we have enough approvals - ensureDaPaaCertificateExist( + // Check: ProposedCertificate - empty + require.False(t, setup.Keeper.IsProposedCertificatePresent( + setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) + + // Check: UniqueCertificate - present + require.True(t, setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, testconstants.RootIssuer, testconstants.RootSerialNumber)) + + // Check: DA + All + UniqueCertificate + ensureDaRootCertificateExist( t, setup, testconstants.RootSubject, diff --git a/x/pki/tests/handler_add_pai_cert_test.go b/x/pki/tests/handler_add_pai_cert_test.go index 5dfb38847..fb6a6beb9 100644 --- a/x/pki/tests/handler_add_pai_cert_test.go +++ b/x/pki/tests/handler_add_pai_cert_test.go @@ -15,14 +15,12 @@ import ( // Main -func TestHandler_AddX509Cert(t *testing.T) { +func TestHandler_AddDaIntermediateCert(t *testing.T) { setup := Setup(t) - accAddress := GenerateAccAddress() - vid := testconstants.Vid - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + accAddress := setup.CreateVendorAccount(testconstants.Vid) - // add DA PAA certificate + // add DA root certificate rootCertOptions := createTestRootCertOptions() proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) @@ -31,8 +29,8 @@ func TestHandler_AddX509Cert(t *testing.T) { _, err := setup.Handler(setup.Ctx, addX509Cert) require.NoError(t, err) - // Check that root certificate exists - ensureDaPaiCertificateExist( + // Check: DA + All + UniqueCertificate + ensureDaIntermediateCertificateExist( t, setup, testconstants.IntermediateSubject, @@ -42,20 +40,18 @@ func TestHandler_AddX509Cert(t *testing.T) { false) // ChildCertificates: check that child certificates of issuer contains certificate identifier - issuerChildren, _ := queryChildCertificates( - setup, testconstants.IntermediateIssuer, testconstants.IntermediateAuthorityKeyID) - require.Equal(t, 1, len(issuerChildren.CertIds)) - require.Equal(t, - &types.CertificateIdentifier{ - Subject: testconstants.IntermediateSubject, - SubjectKeyId: testconstants.IntermediateSubjectKeyID, - }, - issuerChildren.CertIds[0]) + ensureChildCertificateExist( + t, + setup, + testconstants.IntermediateIssuer, + testconstants.IntermediateAuthorityKeyID, + testconstants.IntermediateSubject, + testconstants.IntermediateSubjectKeyID, + ) - // check that no proposed certificate has been created - _, err = queryProposedCertificate(setup, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID) - require.Error(t, err) - require.Equal(t, codes.NotFound, status.Code(err)) + // Check: ProposedCertificate - empty + require.False(t, setup.Keeper.IsProposedCertificatePresent( + setup.Ctx, testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID)) } // Extra cases @@ -63,15 +59,17 @@ func TestHandler_AddX509Cert(t *testing.T) { func TestHandler_AddX509Cert_VIDScoped(t *testing.T) { setup := Setup(t) + accAddress := setup.CreateVendorAccount(testconstants.PAACertWithNumericVidVid) + // store root certificate rootCertOptions := createPAACertWithNumericVidOptions() proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.PAACertWithNumericVidVid) - // add x509 certificate - addX509Cert := types.NewMsgAddX509Cert(accAddress.String(), testconstants.PAICertWithNumericPidVid, testconstants.CertSchemaVersion) + addX509Cert := types.NewMsgAddX509Cert( + accAddress.String(), + testconstants.PAICertWithNumericPidVid, + testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) require.NoError(t, err) diff --git a/x/pki/tests/handler_remove_noc_ica_cert_test.go b/x/pki/tests/handler_remove_noc_ica_cert_test.go index ce554898b..258a4cdee 100644 --- a/x/pki/tests/handler_remove_noc_ica_cert_test.go +++ b/x/pki/tests/handler_remove_noc_ica_cert_test.go @@ -15,19 +15,17 @@ import ( // Main -func TestHandler_RemoveNocX509IcaCert(t *testing.T) { +func TestHandler_RemoveNocIntermediateCert(t *testing.T) { setup := Setup(t) // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + vendorAccAddress := setup.CreateVendorAccount(testconstants.Vid) // add NOC root certificate addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) // add intermediate certificate - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // remove intermediate certificate removeIcaCert := types.NewMsgRemoveNocX509IcaCert( @@ -51,7 +49,7 @@ func TestHandler_RemoveNocX509IcaCert(t *testing.T) { ) // Check: All - missing - ensureCertificateNotPresentInGlobalCertificateIndexes( + ensureGlobalCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -60,15 +58,24 @@ func TestHandler_RemoveNocX509IcaCert(t *testing.T) { ) // Check: UniqueCertificate - missing - found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocCert1Issuer, testconstants.NocCert1SerialNumber) + found := setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, + testconstants.NocCert1Issuer, + testconstants.NocCert1SerialNumber) require.False(t, found) // Check: RevokedCertificates (ica) - missing - found = setup.Keeper.IsRevokedNocIcaCertificatePresent(setup.Ctx, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) + found = setup.Keeper.IsRevokedNocIcaCertificatePresent( + setup.Ctx, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID) require.False(t, found) // Check: child certificate - missing - found = setup.Keeper.IsChildCertificatePresent(setup.Ctx, testconstants.NocCert1Issuer, testconstants.NocCert1AuthorityKeyID) + found = setup.Keeper.IsChildCertificatePresent( + setup.Ctx, + testconstants.NocCert1Issuer, + testconstants.NocCert1AuthorityKeyID) require.False(t, found) } @@ -84,9 +91,9 @@ func TestHandler_RemoveNocX509IcaCert_BySubjectAndSKID(t *testing.T) { addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) // add two intermediate certificates - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocLeafCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocLeafCert1) // get certificates for further comparison nocCerts := setup.Keeper.GetAllNocCertificates(setup.Ctx) @@ -105,7 +112,7 @@ func TestHandler_RemoveNocX509IcaCert_BySubjectAndSKID(t *testing.T) { require.NoError(t, err) // Check that intermediate certificates does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -116,7 +123,7 @@ func TestHandler_RemoveNocX509IcaCert_BySubjectAndSKID(t *testing.T) { true, // leaf certificate with the same vid exists false) - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1CopySubject, @@ -128,7 +135,7 @@ func TestHandler_RemoveNocX509IcaCert_BySubjectAndSKID(t *testing.T) { false) // Check that leaf certificate exists - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocLeafCert1Subject, @@ -173,13 +180,13 @@ func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) // Add ICA certificates - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // Add ICA certificates with sam subject and SKID but different serial number - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) // Add a leaf certificate - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocLeafCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocLeafCert1) // get certificates for further comparison intermediateCerts, _ := queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) @@ -210,7 +217,7 @@ func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { require.Equal(t, 3, len(allCerts[0].Certs)+len(allCerts[1].Certs)+len(allCerts[2].Certs)) // Check that intermediate certificates with NocCert1CopySerialNumber exist - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1CopySubject, @@ -221,7 +228,7 @@ func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { true) // Check that leaf certificate exists - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocLeafCert1Subject, @@ -257,7 +264,7 @@ func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { require.Equal(t, 2, len(allCerts[0].Certs)+len(allCerts[1].Certs)) // Check that intermediate certificates with NocCert1SerialNumber does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -269,7 +276,7 @@ func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { false) // Check that intermediate certificates with NocCert1CopySerialNumber does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1CopySubject, @@ -281,7 +288,7 @@ func TestHandler_RemoveNocX509IcaCert_BySerialNumber(t *testing.T) { false) // Check that leaf certificate exists - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocLeafCert1Subject, @@ -321,10 +328,10 @@ func TestHandler_RemoveNocX509IcaCert_RevokedCertificate(t *testing.T) { addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) // Add an intermediate certificate - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // Check that certificate exists - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -347,7 +354,7 @@ func TestHandler_RemoveNocX509IcaCert_RevokedCertificate(t *testing.T) { require.NoError(t, err) // Check that certificate does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -380,7 +387,7 @@ func TestHandler_RemoveNocX509IcaCert_RevokedCertificate(t *testing.T) { require.Equal(t, true, allCerts[0].Certs[0].IsRoot) // Check that certificate does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -414,10 +421,10 @@ func TestHandler_RemoveNocX509IcaCert_RevokedAndActiveCertificate(t *testing.T) addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) // Add an intermediate certificate - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // Check that certificate exists - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -440,7 +447,7 @@ func TestHandler_RemoveNocX509IcaCert_RevokedAndActiveCertificate(t *testing.T) require.NoError(t, err) // Check that certificate does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -457,14 +464,14 @@ func TestHandler_RemoveNocX509IcaCert_RevokedAndActiveCertificate(t *testing.T) require.Equal(t, 1, len(revokedNocCerts.Certs)) // Add an intermediate certificate with new serial number - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1Copy) // Ensure that only 1 certificate exists intermediateCerts, _ := queryNocCertificates(setup, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) require.Equal(t, 1, len(intermediateCerts.Certs)) // Check that certificate exists (with new serial number) - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1CopySubject, @@ -490,7 +497,7 @@ func TestHandler_RemoveNocX509IcaCert_RevokedAndActiveCertificate(t *testing.T) require.Equal(t, true, allCerts[0].Certs[0].IsRoot) // Check that certificate does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1CopySubject, diff --git a/x/pki/tests/handler_remove_noc_root_cert_test.go b/x/pki/tests/handler_remove_noc_root_cert_test.go index b1eaa467a..891e7d33b 100644 --- a/x/pki/tests/handler_remove_noc_root_cert_test.go +++ b/x/pki/tests/handler_remove_noc_root_cert_test.go @@ -15,13 +15,11 @@ import ( // Main -func TestHandler_RemoveNocX509RootCert(t *testing.T) { +func TestHandler_RemoveNocRootCert(t *testing.T) { setup := Setup(t) // Add vendor account - vid := testconstants.Vid - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + vendorAccAddress := setup.CreateVendorAccount(testconstants.Vid) // add NOC root certificates addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1) @@ -48,7 +46,7 @@ func TestHandler_RemoveNocX509RootCert(t *testing.T) { ) // Check: All - missing - ensureCertificateNotPresentInGlobalCertificateIndexes( + ensureGlobalCertificateNotExist( t, setup, testconstants.NocRootCert1Subject, @@ -57,11 +55,17 @@ func TestHandler_RemoveNocX509RootCert(t *testing.T) { ) // Check: UniqueCertificate - missing - found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1Issuer, testconstants.NocRootCert1SerialNumber) + found := setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, + testconstants.NocRootCert1Issuer, + testconstants.NocRootCert1SerialNumber) require.False(t, found) // Check: RevokedCertificates (root) - missing - found = setup.Keeper.IsRevokedNocRootCertificatePresent(setup.Ctx, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) + found = setup.Keeper.IsRevokedNocRootCertificatePresent( + setup.Ctx, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID) require.False(t, found) } @@ -78,7 +82,7 @@ func TestHandler_RemoveNocX509RootCert_BySubjectAndSKID(t *testing.T) { addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1Copy) // Add intermediate certificate - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // get certificates for further comparison nocCerts := setup.Keeper.GetAllNocCertificates(setup.Ctx) @@ -103,7 +107,7 @@ func TestHandler_RemoveNocX509RootCert_BySubjectAndSKID(t *testing.T) { require.Equal(t, testconstants.NocCert1SerialNumber, nocCerts[0].Certs[0].SerialNumber) // Check that root certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1Subject, @@ -115,7 +119,7 @@ func TestHandler_RemoveNocX509RootCert_BySubjectAndSKID(t *testing.T) { false) // Check that root copy certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1CopySubject, @@ -127,7 +131,7 @@ func TestHandler_RemoveNocX509RootCert_BySubjectAndSKID(t *testing.T) { false) // Check that intermediate certificates does not exist - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -151,7 +155,7 @@ func TestHandler_RemoveNocX509RootCert_BySerialNumber(t *testing.T) { addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1Copy) // Add ICA certificates - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // remove NOC root certificate by serial number removeIcaCert := types.NewMsgRemoveNocX509RootCert( @@ -182,7 +186,7 @@ func TestHandler_RemoveNocX509RootCert_BySerialNumber(t *testing.T) { vid) // Check that intermediate certificates does not exist - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -208,7 +212,7 @@ func TestHandler_RemoveNocX509RootCert_BySerialNumber(t *testing.T) { require.Equal(t, testconstants.NocCert1SerialNumber, nocCerts[0].Certs[0].SerialNumber) // Check that root certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1Subject, @@ -220,7 +224,7 @@ func TestHandler_RemoveNocX509RootCert_BySerialNumber(t *testing.T) { false) // Check that root copy certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1CopySubject, @@ -232,7 +236,7 @@ func TestHandler_RemoveNocX509RootCert_BySerialNumber(t *testing.T) { false) // Check that intermediate certificates does not exist - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -256,7 +260,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { addNocRootCertificate(setup, vendorAccAddress, testconstants.NocRootCert1Copy) // Add an intermediate certificate - addNocIcaCertificate(setup, vendorAccAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, vendorAccAddress, testconstants.NocCert1) // revoke NOC root certificates revokeX509Cert := types.NewMsgRevokeNocX509RootCert( @@ -271,7 +275,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { require.NoError(t, err) // Check that root copy certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1Subject, @@ -283,7 +287,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { true) // Check that root copy certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1CopySubject, @@ -302,7 +306,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { require.Equal(t, testconstants.NocRootCert1CopySubjectKeyID, revokedCerts.Certs[1].SubjectKeyId) // Check that intermediate certificates does not exist - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -327,7 +331,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { require.Equal(t, testconstants.NocCert1SerialNumber, allCerts[0].Certs[0].SerialNumber) // Check that intermediate certificates does not exist - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocCert1Subject, @@ -338,7 +342,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { false) // Check that root copy certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1Subject, @@ -350,7 +354,7 @@ func TestHandler_RemoveNocX509RootCert_RevokedCertificate(t *testing.T) { true) // Check that root copy certificates does not exist - ensureNocRootCertificateDoesNotExist( + ensureNocRootCertificateNotExist( t, setup, testconstants.NocRootCert1CopySubject, diff --git a/x/pki/tests/handler_remove_pai_cert_test.go b/x/pki/tests/handler_remove_pai_cert_test.go index dbe061397..d9c3f6446 100644 --- a/x/pki/tests/handler_remove_pai_cert_test.go +++ b/x/pki/tests/handler_remove_pai_cert_test.go @@ -15,12 +15,11 @@ import ( // Main -func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { +func TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID(t *testing.T) { setup := Setup(t) // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.RootCertWithVidVid) + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) // propose and approve x509 root certificate rootCertOptions := &rootCertOptions{ @@ -33,7 +32,7 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) // Add intermediate certificates - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) // Remove intermediate certificate removeX509Cert := types.NewMsgRemoveX509Cert( @@ -67,7 +66,7 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { require.False(t, found) // Check: All - missing - ensureCertificateNotPresentInGlobalCertificateIndexes( + ensureGlobalCertificateNotExist( t, setup, testconstants.IntermediateSubject, @@ -82,14 +81,18 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID(t *testing.T) { testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, false, + false, ) // Check: child certificate - missing - found = setup.Keeper.IsChildCertificatePresent(setup.Ctx, testconstants.IntermediateIssuer, testconstants.IntermediateAuthorityKeyID) + found = setup.Keeper.IsChildCertificatePresent( + setup.Ctx, + testconstants.IntermediateIssuer, + testconstants.IntermediateAuthorityKeyID) require.False(t, found) // Check: root exists - ensureDaPaaCertificateExist( + ensureDaRootCertificateExist( t, setup, testconstants.RootCertWithSameSubjectAndSKIDSubject, @@ -116,11 +119,11 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID_TwoCerts(t *testing.T) { proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) // Add two intermediate certificates - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID2) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID2) // Add a leaf certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.LeafCertWithSameSubjectAndSKID) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertWithSameSubjectAndSKID) // get certificates for further comparison allCerts := setup.Keeper.GetAllApprovedCertificates(setup.Ctx) @@ -144,7 +147,7 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID_TwoCerts(t *testing.T) { require.Equal(t, 2, len(allCerts[0].Certs)+len(allCerts[1].Certs)) // Check that intermediate certificates does not exist - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, @@ -154,7 +157,7 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID_TwoCerts(t *testing.T) { false, true) // leaf has same subject - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, @@ -165,7 +168,7 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID_TwoCerts(t *testing.T) { true) // leaf has same subject // check that leaf certificate exists - ensureDaPaiCertificateExist( + ensureDaIntermediateCertificateExist( t, setup, testconstants.LeafCertWithSameSubjectAndSKIDSubject, @@ -175,7 +178,7 @@ func TestHandler_RemoveX509Cert_BySubjectAndSKID_TwoCerts(t *testing.T) { false) // check that root certificate exists - ensureDaPaaCertificateExist( + ensureDaRootCertificateExist( t, setup, testconstants.RootCertWithSameSubjectAndSKIDSubject, @@ -202,11 +205,11 @@ func TestHandler_RemoveX509Cert_BySerialNumber_TwoCerts(t *testing.T) { proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) // Add intermediate certificates - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID2) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID1) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateWithSameSubjectAndSKID2) // Add a leaf certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.LeafCertWithSameSubjectAndSKID) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertWithSameSubjectAndSKID) // remove intermediate certificate by serial number removeX509Cert := types.NewMsgRemoveX509Cert( @@ -224,7 +227,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber_TwoCerts(t *testing.T) { require.Equal(t, 3, len(allCerts[0].Certs)+len(allCerts[1].Certs)+len(allCerts[2].Certs)) // Check that intermediate certificates exist - ensureDaPaiCertificateExist( + ensureDaIntermediateCertificateExist( t, setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, @@ -234,7 +237,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber_TwoCerts(t *testing.T) { true) // check that leaf certificate exists - ensureDaPaiCertificateExist( + ensureDaIntermediateCertificateExist( t, setup, testconstants.LeafCertWithSameSubjectAndSKIDSubject, @@ -244,7 +247,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber_TwoCerts(t *testing.T) { true) // check that root certificate exists - ensureDaPaaCertificateExist( + ensureDaRootCertificateExist( t, setup, testconstants.RootCertWithSameSubjectAndSKIDSubject, @@ -267,7 +270,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber_TwoCerts(t *testing.T) { require.Equal(t, 2, len(allCerts[0].Certs)+len(allCerts[1].Certs)) // Check that intermediate certificates does not exist - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, @@ -277,7 +280,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber_TwoCerts(t *testing.T) { false, true) // leaf has same subject - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.IntermediateCertWithSameSubjectAndSKIDSubject, @@ -288,7 +291,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber_TwoCerts(t *testing.T) { true) // leaf has same subject // check that leaf certificate exists - ensureDaPaiCertificateExist( + ensureDaIntermediateCertificateExist( t, setup, testconstants.LeafCertWithSameSubjectAndSKIDSubject, @@ -298,7 +301,7 @@ func TestHandler_RemoveX509Cert_BySerialNumber_TwoCerts(t *testing.T) { true) // check that root certificate exists - ensureDaPaaCertificateExist( + ensureDaRootCertificateExist( t, setup, testconstants.RootCertWithSameSubjectAndSKIDSubject, @@ -325,7 +328,7 @@ func TestHandler_RemoveX509Cert_RevokedCertificate(t *testing.T) { proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) // Add two intermediate certificates again - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) // revoke intermediate certificate by serial number revokeX509Cert := types.NewMsgRevokeX509Cert( @@ -357,7 +360,7 @@ func TestHandler_RemoveX509Cert_RevokedCertificate(t *testing.T) { _, err = setup.Handler(setup.Ctx, removeX509Cert) require.NoError(t, err) - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.IntermediateSubject, diff --git a/x/pki/tests/handler_revoke_noc_ica_cert_test.go b/x/pki/tests/handler_revoke_noc_ica_cert_test.go index 334f4761d..852f9bd37 100644 --- a/x/pki/tests/handler_revoke_noc_ica_cert_test.go +++ b/x/pki/tests/handler_revoke_noc_ica_cert_test.go @@ -16,17 +16,16 @@ import ( // Main -func TestHandler_RevokeNocX509Cert(t *testing.T) { +func TestHandler_RevokeNocIntermediateCert(t *testing.T) { setup := Setup(t) - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + accAddress := setup.CreateVendorAccount(testconstants.Vid) // add the first NOC root certificate addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) // add the NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) // Revoke NOC with subject and subject key id only revokeCert := types.NewMsgRevokeNocX509IcaCert( @@ -52,7 +51,7 @@ func TestHandler_RevokeNocX509Cert(t *testing.T) { ) // Check: All - missing - ensureCertificateNotPresentInGlobalCertificateIndexes( + ensureGlobalCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -61,19 +60,31 @@ func TestHandler_RevokeNocX509Cert(t *testing.T) { ) // Check: UniqueCertificate - present - found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocCert1Issuer, testconstants.NocCert1SerialNumber) + found := setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, + testconstants.NocCert1Issuer, + testconstants.NocCert1SerialNumber) require.True(t, found) // Check: RevokedCertificates (ica) - present - found = setup.Keeper.IsRevokedNocIcaCertificatePresent(setup.Ctx, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) + found = setup.Keeper.IsRevokedNocIcaCertificatePresent( + setup.Ctx, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID) require.True(t, found) // Check: RevokedCertificates (root) - missing - found = setup.Keeper.IsRevokedNocRootCertificatePresent(setup.Ctx, testconstants.NocCert1Subject, testconstants.NocCert1SubjectKeyID) + found = setup.Keeper.IsRevokedNocRootCertificatePresent( + setup.Ctx, + testconstants.NocCert1Subject, + testconstants.NocCert1SubjectKeyID) require.False(t, found) // Check: child certificate - missing - found = setup.Keeper.IsChildCertificatePresent(setup.Ctx, testconstants.NocCert1Issuer, testconstants.NocCert1AuthorityKeyID) + found = setup.Keeper.IsChildCertificatePresent( + setup.Ctx, + testconstants.NocCert1Issuer, + testconstants.NocCert1AuthorityKeyID) require.False(t, found) } @@ -87,13 +98,13 @@ func TestHandler_RevokeNocX509Cert_RevokeDefault(t *testing.T) { addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) // add the first NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) // add the second NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1Copy) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1Copy) // add the NOC leaf certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocLeafCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocLeafCert1) // Revoke NOC with subject and subject key id only revokeCert := types.NewMsgRevokeNocX509IcaCert( @@ -115,7 +126,7 @@ func TestHandler_RevokeNocX509Cert_RevokeDefault(t *testing.T) { require.Equal(t, testconstants.NocCert1SubjectKeyID, revokedNocCerts.SubjectKeyId) // Check that intermediate certificates does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -126,7 +137,7 @@ func TestHandler_RevokeNocX509Cert_RevokeDefault(t *testing.T) { true, // leaf certificate with the same vid exists true) - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1CopySubject, @@ -138,7 +149,7 @@ func TestHandler_RevokeNocX509Cert_RevokeDefault(t *testing.T) { true) // Check that leaf certificate exists - ensureNocIcaCertificateExist( + ensureNocIntermediateCertificateExist( t, setup, testconstants.NocLeafCert1Subject, @@ -159,13 +170,13 @@ func TestHandler_RevokeNocX509Cert_RevokeWithChild(t *testing.T) { addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) // add the first NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) // add the second NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1Copy) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1Copy) // add the NOC leaf certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocLeafCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocLeafCert1) // Revoke noc with subject and subject key id and its child too revokeCert := types.NewMsgRevokeNocX509IcaCert( @@ -197,7 +208,7 @@ func TestHandler_RevokeNocX509Cert_RevokeWithChild(t *testing.T) { require.Equal(t, testconstants.NocRootCert1SubjectKeyID, certs[0].SubjectKeyId) // Check that intermediate certificates does not exist - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1Subject, @@ -208,7 +219,7 @@ func TestHandler_RevokeNocX509Cert_RevokeWithChild(t *testing.T) { false, true) - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocCert1CopySubject, @@ -220,7 +231,7 @@ func TestHandler_RevokeNocX509Cert_RevokeWithChild(t *testing.T) { true) // Check that leaf certificate exists - ensureNocIcaCertificateDoesNotExist( + ensureNocIntermediateCertificateNotExist( t, setup, testconstants.NocLeafCert1Subject, @@ -242,13 +253,13 @@ func TestHandler_RevokeNocX509Cert_RevokeBySerialNumber(t *testing.T) { addNocRootCertificate(setup, accAddress, testconstants.NocRootCert1) // add the first NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1) // add the second NOC non-root certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocCert1Copy) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocCert1Copy) // add the NOC leaf certificate - addNocIcaCertificate(setup, accAddress, testconstants.NocLeafCert1) + addNocIntermediateCertificate(setup, accAddress, testconstants.NocLeafCert1) // Revoke NOC by serial number only revokeCert := types.NewMsgRevokeNocX509IcaCert( diff --git a/x/pki/tests/handler_revoke_noc_root_cert_test.go b/x/pki/tests/handler_revoke_noc_root_cert_test.go index 28d58c8af..efa6caec2 100644 --- a/x/pki/tests/handler_revoke_noc_root_cert_test.go +++ b/x/pki/tests/handler_revoke_noc_root_cert_test.go @@ -16,14 +16,16 @@ import ( // Main -func TestHandler_RevokeNocX509RootCert(t *testing.T) { +func TestHandler_RevokeNoRootCert(t *testing.T) { setup := Setup(t) - accAddress := GenerateAccAddress() - setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + accAddress := setup.CreateVendorAccount(testconstants.Vid) // add the first NOC root certificate - addNocX509RootCert := types.NewMsgAddNocX509RootCert(accAddress.String(), testconstants.NocRootCert1, testconstants.CertSchemaVersion) + addNocX509RootCert := types.NewMsgAddNocX509RootCert( + accAddress.String(), + testconstants.NocRootCert1, + testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addNocX509RootCert) require.NoError(t, err) @@ -51,7 +53,7 @@ func TestHandler_RevokeNocX509RootCert(t *testing.T) { ) // Check: All - missing - ensureCertificateNotPresentInGlobalCertificateIndexes( + ensureGlobalCertificateNotExist( t, setup, testconstants.NocRootCert1Subject, @@ -60,15 +62,24 @@ func TestHandler_RevokeNocX509RootCert(t *testing.T) { ) // Check: UniqueCertificate - present - found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, testconstants.NocRootCert1Issuer, testconstants.NocRootCert1SerialNumber) + found := setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, + testconstants.NocRootCert1Issuer, + testconstants.NocRootCert1SerialNumber) require.True(t, found) // Check: RevokedCertificates (root) - present - found = setup.Keeper.IsRevokedNocRootCertificatePresent(setup.Ctx, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) + found = setup.Keeper.IsRevokedNocRootCertificatePresent( + setup.Ctx, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID) require.True(t, found) // Check: RevokedCertificates (ica) - missing - found = setup.Keeper.IsRevokedNocIcaCertificatePresent(setup.Ctx, testconstants.NocRootCert1Subject, testconstants.NocRootCert1SubjectKeyID) + found = setup.Keeper.IsRevokedNocIcaCertificatePresent( + setup.Ctx, + testconstants.NocRootCert1Subject, + testconstants.NocRootCert1SubjectKeyID) require.False(t, found) } diff --git a/x/pki/tests/handler_revoke_paa_cert_test.go b/x/pki/tests/handler_revoke_paa_cert_test.go index 88b7309bf..5d98bb878 100644 --- a/x/pki/tests/handler_revoke_paa_cert_test.go +++ b/x/pki/tests/handler_revoke_paa_cert_test.go @@ -18,7 +18,7 @@ import ( // Main -func TestHandler_ProposeRevokeX509RootCert_ByTrusteeOwner(t *testing.T) { +func TestHandler_ProposeRevokeDaRootCert(t *testing.T) { setup := Setup(t) // propose x509 root certificate by `setup.Trustee` and approve by another trustee @@ -27,7 +27,12 @@ func TestHandler_ProposeRevokeX509RootCert_ByTrusteeOwner(t *testing.T) { // propose revocation of x509 root certificate by `setup.Trustee` proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) + setup.Trustee1.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSerialNumber, + false, + testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -38,7 +43,7 @@ func TestHandler_ProposeRevokeX509RootCert_ByTrusteeOwner(t *testing.T) { require.True(t, proposedRevocation.HasRevocationFrom(setup.Trustee1.String())) // Check: DA + All + UniqueCertificate - ensureDaPaaCertificateExist( + ensureDaRootCertificateExist( t, setup, testconstants.RootSubject, @@ -51,7 +56,7 @@ func TestHandler_ProposeRevokeX509RootCert_ByTrusteeOwner(t *testing.T) { setup.Ctx, testconstants.RootSubject, testconstants.RootSubjectKeyID)) } -func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing.T) { +func TestHandler_RevokeDaRootCert_TwoThirdApprovalsNeeded(t *testing.T) { setup := Setup(t) // propose x509 root certificate by account without trustee role @@ -65,11 +70,14 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. _, err = setup.Handler(setup.Ctx, approveAddX509RootCert) require.NoError(t, err) - approvedCertificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.Equal(t, testconstants.RootIssuer, approvedCertificate.Subject) - require.Equal(t, testconstants.RootSerialNumber, approvedCertificate.SerialNumber) - require.True(t, approvedCertificate.IsRoot) - require.True(t, approvedCertificate.HasApprovalFrom(setup.Trustee1.String())) + // Check: DA + All + UniqueCertificate + ensureDaRootCertificateExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootIssuer, + testconstants.RootSerialNumber) // Create an array of trustee account from 1 to 50 trusteeAccounts := make([]sdk.AccAddress, 50) @@ -87,7 +95,12 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. // Trustee1 proposes to revoke the certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - setup.Trustee1.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) + setup.Trustee1.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSerialNumber, + false, + testconstants.Info) _, err = setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -96,12 +109,16 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. for i := 1; i < twoThirds-1; i++ { // approve the revocation approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - trusteeAccounts[i].String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + trusteeAccounts[i].String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSerialNumber, + testconstants.Info) _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) require.NoError(t, err) // check that the certificate is still not revoked - ensureDaPaaCertificateExist( + ensureDaRootCertificateExist( t, setup, testconstants.RootSubject, @@ -112,7 +129,11 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. // One more revoke will revoke the certificate approveRevokeX509RootCert := types.NewMsgApproveRevokeX509RootCert( - setup.Trustee2.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, testconstants.Info) + setup.Trustee2.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSerialNumber, + testconstants.Info) _, err = setup.Handler(setup.Ctx, approveRevokeX509RootCert) require.NoError(t, err) @@ -122,11 +143,12 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. setup, testconstants.RootSubject, testconstants.RootSubjectKeyID, + true, false, ) // Check: All - missing - ensureCertificateNotPresentInGlobalCertificateIndexes( + ensureGlobalCertificateNotExist( t, setup, testconstants.RootSubject, @@ -161,7 +183,7 @@ func TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification(t *testing. require.Equal(t, revokedCertificate.HasApprovalFrom(setup.Trustee2.String()), true) } -func TestHandler_ProposeRevokeX509RootCert_ByTrusteeNotOwner(t *testing.T) { +func TestHandler_ProposeRevokeDaRootCert_ByTrusteeNotOwner(t *testing.T) { setup := Setup(t) // propose x509 root certificate by `setup.Trustee` and approve by another trustee @@ -174,7 +196,12 @@ func TestHandler_ProposeRevokeX509RootCert_ByTrusteeNotOwner(t *testing.T) { // propose revocation of x509 root certificate by new trustee proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( - anotherTrustee.String(), testconstants.RootSubject, testconstants.RootSubjectKeyID, testconstants.RootSerialNumber, false, testconstants.Info) + anotherTrustee.String(), + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSerialNumber, + false, + testconstants.Info) _, err := setup.Handler(setup.Ctx, proposeRevokeX509RootCert) require.NoError(t, err) @@ -185,8 +212,13 @@ func TestHandler_ProposeRevokeX509RootCert_ByTrusteeNotOwner(t *testing.T) { require.True(t, proposedRevocation.HasRevocationFrom(anotherTrustee.String())) // check that approved certificate still exists - certificate, _ := querySingleApprovedCertificate(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) - require.NotNil(t, certificate) + ensureDaRootCertificateExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootIssuer, + testconstants.RootSerialNumber) // check that revoked certificate does not exist _, err = queryRevokedCertificates(setup, testconstants.RootSubject, testconstants.RootSubjectKeyID) @@ -211,10 +243,10 @@ func TestHandler_ApproveRevokeX509RootCert_ForTree(t *testing.T) { setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) // add intermediate x509 certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) // add leaf x509 certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) // propose revocation of x509 root certificate proposeRevokeX509RootCert := types.NewMsgProposeRevokeX509RootCert( @@ -276,7 +308,7 @@ func TestHandler_ApproveRevokeX509RootCert_ForTree(t *testing.T) { require.Nil(t, leafCertChildren) // check that root certificate does not exist - ensureDaPaaCertificateDoesNotExist( + ensureDaRootCertificateNotExist( t, setup, testconstants.RootSubject, @@ -286,7 +318,7 @@ func TestHandler_ApproveRevokeX509RootCert_ForTree(t *testing.T) { true) // check that intermediate certificate does not exist - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.IntermediateSubject, @@ -297,7 +329,7 @@ func TestHandler_ApproveRevokeX509RootCert_ForTree(t *testing.T) { false) // check that intermediate certificate does not exist - ensureDaPaiCertificateDoesNotExist( + ensureDaIntermediateCertificateNotExist( t, setup, testconstants.LeafSubject, diff --git a/x/pki/tests/handler_revoke_pai_cert_test.go b/x/pki/tests/handler_revoke_pai_cert_test.go index 5d8c2362e..8c7bcc451 100644 --- a/x/pki/tests/handler_revoke_pai_cert_test.go +++ b/x/pki/tests/handler_revoke_pai_cert_test.go @@ -15,12 +15,11 @@ import ( // Main -func TestHandler_RevokeX509Cert(t *testing.T) { +func TestHandler_RevokeDaIntermediateCert(t *testing.T) { setup := Setup(t) // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.RootCertWithVidVid) + vendorAccAddress := setup.CreateVendorAccount(testconstants.RootCertWithVidVid) // propose and approve x509 root certificate rootCertOptions := &rootCertOptions{ @@ -33,9 +32,9 @@ func TestHandler_RevokeX509Cert(t *testing.T) { proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) // Add intermediate certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) - // revoke x509 certificate + // revoke intermediate certificate revokeX509Cert := types.NewMsgRevokeX509Cert( vendorAccAddress.String(), testconstants.IntermediateSubject, @@ -68,7 +67,7 @@ func TestHandler_RevokeX509Cert(t *testing.T) { require.False(t, found) // Check: All - missing - ensureCertificateNotPresentInGlobalCertificateIndexes( + ensureGlobalCertificateNotExist( t, setup, testconstants.IntermediateSubject, @@ -83,14 +82,18 @@ func TestHandler_RevokeX509Cert(t *testing.T) { testconstants.IntermediateSubject, testconstants.IntermediateSubjectKeyID, false, + false, ) // Check: child certificate - missing - found = setup.Keeper.IsChildCertificatePresent(setup.Ctx, testconstants.IntermediateIssuer, testconstants.IntermediateAuthorityKeyID) + found = setup.Keeper.IsChildCertificatePresent( + setup.Ctx, + testconstants.IntermediateIssuer, + testconstants.IntermediateAuthorityKeyID) require.False(t, found) // Check: Root stays approved - ensureDaPaaCertificateExist( + ensureDaRootCertificateExist( t, setup, testconstants.RootSubject, @@ -103,18 +106,17 @@ func TestHandler_RevokeX509Cert_ForTree(t *testing.T) { setup := Setup(t) // Add vendor account - vendorAccAddress := GenerateAccAddress() - setup.AddAccount(vendorAccAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, testconstants.Vid) + vendorAccAddress := setup.CreateVendorAccount(testconstants.Vid) // add root x509 certificate rootCertOptions := createTestRootCertOptions() proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) // add intermediate x509 certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) // add leaf x509 certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) // revoke x509 certificate revokeX509Cert := types.NewMsgRevokeX509Cert( @@ -141,7 +143,7 @@ func TestHandler_RevokeX509Cert_ForTree(t *testing.T) { require.Equal(t, testconstants.IntermediateCertPem, allRevokedCertificates[1].Certs[0].PemCert) // check that root certificate stays approved - ensureDaPaaCertificateExist( + ensureDaRootCertificateExist( t, setup, testconstants.RootSubject, @@ -182,7 +184,7 @@ func TestHandler_RevokeX509Cert_BySerialNumber(t *testing.T) { proposeAndApproveRootCertificate(setup, setup.Trustee1, rootCertOptions) // Add two intermediate certificates - addDaPaiCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.IntermediateCertPem) intermediateCertificate := intermediateCertificateNoVid(vendorAccAddress) intermediateCertificate.SerialNumber = SerialNumber @@ -195,7 +197,7 @@ func TestHandler_RevokeX509Cert_BySerialNumber(t *testing.T) { ) // Add a leaf certificate - addDaPaiCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) + addDaIntermediateCertificate(setup, vendorAccAddress, testconstants.LeafCertPem) // get certificates for further comparison allCerts := setup.Keeper.GetAllApprovedCertificates(setup.Ctx) diff --git a/x/pki/tests/handler_test.go b/x/pki/tests/handler_test.go index 37c59f58b..93dcb902a 100644 --- a/x/pki/tests/handler_test.go +++ b/x/pki/tests/handler_test.go @@ -75,6 +75,13 @@ func removeItemFromExpectedCalls(expectedCalls []*mock.Call, methodName string) } } +func (setup *TestSetup) CreateVendorAccount(vid int32) sdk.AccAddress { + accAddress := GenerateAccAddress() + setup.AddAccount(accAddress, []dclauthtypes.AccountRole{dclauthtypes.Vendor}, vid) + + return accAddress +} + func (setup *TestSetup) AddAccount( accAddress sdk.AccAddress, roles []dclauthtypes.AccountRole, @@ -921,7 +928,36 @@ func certificateIdentifier(subject string, subjectKeyID string) types.Certificat } } -func ensureCertificatePresentInGlobalCertificateIndexes( +func ensureUniqueCertificateCertificateExist( + t *testing.T, + setup *TestSetup, + issuer string, + serialNumber string, +) { + t.Helper() + + // UniqueCertificate: check that unique certificate key registered + require.True(t, setup.Keeper.IsUniqueCertificatePresent( + setup.Ctx, issuer, serialNumber)) +} + +func ensureUniqueCertificateCertificateNotExist( + t *testing.T, + setup *TestSetup, + issuer string, + serialNumber string, + skipCheck bool, +) { + t.Helper() + + if !skipCheck { + // UniqueCertificate: check that unique certificate key registered + found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, issuer, serialNumber) + require.False(t, found) + } +} + +func ensureGlobalCertificateExist( t *testing.T, setup *TestSetup, subject string, @@ -952,7 +988,7 @@ func ensureCertificatePresentInGlobalCertificateIndexes( } } -func ensureCertificateNotPresentInGlobalCertificateIndexes( +func ensureGlobalCertificateNotExist( t *testing.T, setup *TestSetup, subject string, @@ -1019,6 +1055,39 @@ func ensureCertificatePresentInDaCertificateIndexes( } } +func ensureCertificateNotPresentInDaCertificateIndexes( + t *testing.T, + setup *TestSetup, + subject string, + subjectKeyID string, + isRoot bool, + skipCheckForSubject bool, // TODO: FIX constants and eliminate this condition +) { + t.Helper() + + // DA certificates indexes checks + + // DaCertificates: Subject and SKID + _, err := querySingleApprovedCertificate(setup, subject, subjectKeyID) + require.Equal(t, codes.NotFound, status.Code(err)) + + if isRoot { + // DaCertificates: Root Subject and SKID + _, err := querySingleApprovedRootCertificate(setup, subject, subjectKeyID) + require.Equal(t, codes.NotFound, status.Code(err)) + } + + // DaCertificates: SubjectKeyID + certificatesBySubjectKeyID, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, subjectKeyID) + require.Empty(t, certificatesBySubjectKeyID) + + if !skipCheckForSubject { + // NocCertificates: Subject + _, err = queryApprovedCertificatesBySubject(setup, subject) + require.Equal(t, codes.NotFound, status.Code(err)) + } +} + func ensureCertificatePresentInNocCertificateIndexes( t *testing.T, setup *TestSetup, @@ -1077,32 +1146,6 @@ func ensureCertificatePresentInNocCertificateIndexes( } } -func ensureCertificateNotPresentInDaCertificateIndexes( - t *testing.T, - setup *TestSetup, - subject string, - subjectKeyID string, - skipCheckForSubject bool, // TODO: FIX constants and eliminate this condition -) { - t.Helper() - - // DA certificates indexes checks - - // DaCertificates: Subject and SKID - _, err := querySingleApprovedCertificate(setup, subject, subjectKeyID) - require.Equal(t, codes.NotFound, status.Code(err)) - - // DaCertificates: SubjectKeyID - certificatesBySubjectKeyID, _ := queryAllApprovedCertificatesBySubjectKeyID(setup, subjectKeyID) - require.Empty(t, certificatesBySubjectKeyID) - - if !skipCheckForSubject { - // NocCertificates: Subject - _, err = queryApprovedCertificatesBySubject(setup, subject) - require.Equal(t, codes.NotFound, status.Code(err)) - } -} - func ensureCertificateNotPresentInNocCertificateIndexes( t *testing.T, setup *TestSetup, @@ -1146,36 +1189,7 @@ func ensureCertificateNotPresentInNocCertificateIndexes( } } -func ensureCertificatePresentInUniqueCertificateIndexes( - t *testing.T, - setup *TestSetup, - issuer string, - serialNumber string, -) { - t.Helper() - - // UniqueCertificate: check that unique certificate key registered - require.True(t, setup.Keeper.IsUniqueCertificatePresent( - setup.Ctx, issuer, serialNumber)) -} - -func ensureCertificateNotPresentInUniqueCertificateIndexes( - t *testing.T, - setup *TestSetup, - issuer string, - serialNumber string, - skipCheck bool, -) { - t.Helper() - - if !skipCheck { - // UniqueCertificate: check that unique certificate key registered - found := setup.Keeper.IsUniqueCertificatePresent(setup.Ctx, issuer, serialNumber) - require.False(t, found) - } -} - -func ensureDaPaaCertificateExist( +func ensureDaRootCertificateExist( t *testing.T, setup *TestSetup, subject string, @@ -1189,13 +1203,13 @@ func ensureDaPaaCertificateExist( ensureCertificatePresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, true, false) // All certificates indexes checks - ensureCertificatePresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, false) + ensureGlobalCertificateExist(t, setup, subject, subjectKeyID, serialNumber, false) // UniqueCertificate: check that unique certificate key registered - ensureCertificatePresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber) + ensureUniqueCertificateCertificateExist(t, setup, issuer, serialNumber) } -func ensureDaPaiCertificateExist( +func ensureDaIntermediateCertificateExist( t *testing.T, setup *TestSetup, subject string, @@ -1210,13 +1224,13 @@ func ensureDaPaiCertificateExist( ensureCertificatePresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, false, skipCheckForSubject) // All certificates indexes checks - ensureCertificatePresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, skipCheckForSubject) + ensureGlobalCertificateExist(t, setup, subject, subjectKeyID, serialNumber, skipCheckForSubject) // UniqueCertificate: check that unique certificate key registered - ensureCertificatePresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber) + ensureUniqueCertificateCertificateExist(t, setup, issuer, serialNumber) } -func ensureDaPaaCertificateDoesNotExist( +func ensureDaRootCertificateNotExist( t *testing.T, setup *TestSetup, subject string, @@ -1228,16 +1242,16 @@ func ensureDaPaaCertificateDoesNotExist( t.Helper() // DA certificates indexes checks - ensureCertificateNotPresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, false) + ensureCertificateNotPresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, true, false) // All certificates indexes checks - ensureCertificateNotPresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, false) + ensureGlobalCertificateNotExist(t, setup, subject, subjectKeyID, false) // UniqueCertificate: check that unique certificate key registered - ensureCertificateNotPresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber, isRevoked) + ensureUniqueCertificateCertificateNotExist(t, setup, issuer, serialNumber, isRevoked) } -func ensureDaPaiCertificateDoesNotExist( +func ensureDaIntermediateCertificateNotExist( t *testing.T, setup *TestSetup, subject string, @@ -1250,13 +1264,13 @@ func ensureDaPaiCertificateDoesNotExist( t.Helper() // DA certificates indexes checks - ensureCertificateNotPresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, skipCheckForSubject) + ensureCertificateNotPresentInDaCertificateIndexes(t, setup, subject, subjectKeyID, false, skipCheckForSubject) // All certificates indexes checks - ensureCertificateNotPresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, skipCheckForSubject) + ensureGlobalCertificateNotExist(t, setup, subject, subjectKeyID, skipCheckForSubject) // UniqueCertificate: check that unique certificate key registered - ensureCertificateNotPresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber, skipCheckForUniqueness) + ensureUniqueCertificateCertificateNotExist(t, setup, issuer, serialNumber, skipCheckForUniqueness) } func ensureNocRootCertificateExist( @@ -1274,13 +1288,13 @@ func ensureNocRootCertificateExist( ensureCertificatePresentInNocCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, vid, true, false) // All certificates indexes checks - ensureCertificatePresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, false) + ensureGlobalCertificateExist(t, setup, subject, subjectKeyID, serialNumber, false) // UniqueCertificate: check that unique certificate key registered - ensureCertificatePresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber) + ensureUniqueCertificateCertificateExist(t, setup, issuer, serialNumber) } -func ensureNocIcaCertificateExist( +func ensureNocIntermediateCertificateExist( t *testing.T, setup *TestSetup, subject string, @@ -1296,13 +1310,13 @@ func ensureNocIcaCertificateExist( ensureCertificatePresentInNocCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, vid, false, skipCheckByVid) // All certificates indexes checks - ensureCertificatePresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, serialNumber, false) + ensureGlobalCertificateExist(t, setup, subject, subjectKeyID, serialNumber, false) // UniqueCertificate: check that unique certificate key registered - ensureCertificatePresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber) + ensureUniqueCertificateCertificateExist(t, setup, issuer, serialNumber) } -func ensureNocIcaCertificateDoesNotExist( +func ensureNocIntermediateCertificateNotExist( t *testing.T, setup *TestSetup, subject string, @@ -1319,13 +1333,13 @@ func ensureNocIcaCertificateDoesNotExist( ensureCertificateNotPresentInNocCertificateIndexes(t, setup, subject, subjectKeyID, vid, false, skipCheckByVid) // All certificates indexes checks - ensureCertificateNotPresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, false) + ensureGlobalCertificateNotExist(t, setup, subject, subjectKeyID, false) // UniqueCertificate: check that unique certificate key registered - ensureCertificateNotPresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber, skipCheckForUniqueness) + ensureUniqueCertificateCertificateNotExist(t, setup, issuer, serialNumber, skipCheckForUniqueness) } -func ensureNocRootCertificateDoesNotExist( +func ensureNocRootCertificateNotExist( t *testing.T, setup *TestSetup, subject string, @@ -1342,13 +1356,33 @@ func ensureNocRootCertificateDoesNotExist( ensureCertificateNotPresentInNocCertificateIndexes(t, setup, subject, subjectKeyID, vid, true, skipCheckByVid) // All certificates indexes checks - ensureCertificateNotPresentInGlobalCertificateIndexes(t, setup, subject, subjectKeyID, false) + ensureGlobalCertificateNotExist(t, setup, subject, subjectKeyID, false) // UniqueCertificate: check that unique certificate key registered - ensureCertificateNotPresentInUniqueCertificateIndexes(t, setup, issuer, serialNumber, skipCheckForUniqueness) + ensureUniqueCertificateCertificateNotExist(t, setup, issuer, serialNumber, skipCheckForUniqueness) +} + +func ensureChildCertificateExist( + t *testing.T, + setup *TestSetup, + subject string, + subjectKeyID string, + issuer string, + authorityKeyId string, +) { + t.Helper() + + issuerChildren, _ := queryChildCertificates(setup, subject, subjectKeyID) + require.Equal(t, 1, len(issuerChildren.CertIds)) + + certID := types.CertificateIdentifier{ + Subject: issuer, + SubjectKeyId: authorityKeyId, + } + require.Equal(t, &certID, issuerChildren.CertIds[0]) } -func addDaPaiCertificate(setup *TestSetup, address sdk.AccAddress, pemCert string) { +func addDaIntermediateCertificate(setup *TestSetup, address sdk.AccAddress, pemCert string) { addX509Cert := types.NewMsgAddX509Cert(address.String(), pemCert, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, addX509Cert) require.NoError(setup.T, err) @@ -1361,7 +1395,7 @@ func addNocRootCertificate(setup *TestSetup, address sdk.AccAddress, pemCert str require.NoError(setup.T, err) } -func addNocIcaCertificate(setup *TestSetup, address sdk.AccAddress, pemCert string) { +func addNocIntermediateCertificate(setup *TestSetup, address sdk.AccAddress, pemCert string) { // add the new NOC root certificate nocX509Cert := types.NewMsgAddNocX509IcaCert(address.String(), pemCert, testconstants.CertSchemaVersion) _, err := setup.Handler(setup.Ctx, nocX509Cert) diff --git a/x/pki/tests/test-design.md b/x/pki/tests/test-design.md index 748cc479b..28134dc85 100644 --- a/x/pki/tests/test-design.md +++ b/x/pki/tests/test-design.md @@ -10,7 +10,7 @@ * `All Certificates`: Subject+SKID, SKID, Subject * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject * Tests: - * `TestHandler_ProposeAddX509RootCert_ByTrustee` + * `TestHandler_ProposeAddDaRootCert` * Propose add approve adding of DA root certificate: * Indexes: * Present: @@ -20,9 +20,9 @@ * Missing: * `ProposedCertificate` * Tests: - * `TestHandler_ApproveAddX509RootCert_ForEnoughApprovals` - * `TestHandler_TwoThirdApprovalsNeededForAddingRootCertification` - * `TestHandler_ApproveX509RootCert_FourApprovalsAreNeeded_FiveTrustees` + * `TestHandler_AddDaRootCert` + * `TestHandler_AddDaRootCert_TwoThirdApprovalsNeeded` + * `TestHandler_AddDaRootCert_FourApprovalsAreNeeded_FiveTrustees` ### [Add DA Intermediate](./handler_add_pai_cert_test.go) @@ -36,7 +36,7 @@ * Missing: * `ProposedCertificate` * Tests: - * `TestHandler_AddX509Cert` + * `TestHandler_AddDaIntermediateCert` ### [Revoke DA Root](./handler_revoke_paa_cert_test.go) @@ -50,7 +50,8 @@ * Missing: * `RevokedCertificates` * Tests: - * `TestHandler_ProposeRevokeX509RootCert_ByTrusteeOwner` + * `TestHandler_ProposeRevokeDaRootCert` + * `TestHandler_ProposeRevokeDaRootCert_ByTrusteeNotOwner` * Propose and approve revocation of DA root certificate: * Indexes: * Present: @@ -61,7 +62,7 @@ * `All Certificates`: Subject+SKID, SKID, Subject * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject * Tests: - * `TestHandler_TwoThirdApprovalsNeededForRevokingRootCertification` + * `TestHandler_RevokeDaRootCert_TwoThirdApprovalsNeeded` ### [Revoke DA Intermediate](./handler_revoke_pai_cert_test.go) @@ -77,7 +78,7 @@ * `DA Certificates`: Subject+SKID (approved), SKID, Subject * `ChildCertificates`: for parent * Tests: - * `TestHandler_RevokeX509Cert` + * `TestHandler_RevokeDaIntermediateCert` ### [Remove DA Intermediate](./handler_remove_pai_cert_test.go) @@ -92,7 +93,7 @@ * `DA Certificates`: Subject+SKID (approved), SKID, Subject * `ChildCertificates`: for parent * Tests: - * `TestHandler_RemoveX509Cert_BySubjectAndSKID` + * `TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID` ### [Add Noc Root](./handler_add_noc_root_cert_test.go) @@ -105,7 +106,7 @@ * Missing: * - * Tests: - * `TestHandler_AddNocX509Cert_AddNewRoot` + * `TestHandler_AddNocRootCert` ### [Add Noc Intermediate](./handler_add_noc_ica_cert_test.go) @@ -119,7 +120,7 @@ * Missing: * - * Tests: - * `TestHandler_AddNocX509Cert_AddNewIca` + * `TestHandler_AddNocIntermediateCert` ### [Revoke Noc Root](./handler_revoke_noc_root_cert_test.go) @@ -133,7 +134,7 @@ * `All Certificates`: Subject+SKID, SKID, Subject * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID * Tests: - * `TestHandler_RevokeNocX509RootCert` + * `TestHandler_RevokeNoRootCert` ### [Revoke Noc Ica](./handler_revoke_noc_ica_cert_test.go) @@ -148,7 +149,7 @@ * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID * `ChildCertificates`: for parent * Tests: - * `TestHandler_RevokeNocX509Cert` + * `TestHandler_RevokeNocIntermediateCert` ### [Remove Noc Root](./handler_remove_noc_root_cert_test.go) @@ -162,9 +163,9 @@ * `All Certificates`: Subject+SKID, SKID, Subject * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID * Tests: - * `TestHandler_RemoveNocX509RootCert` + * `TestHandler_RemoveNocRootCert` -### [Remove Noc Root](./handler_remove_noc_ica_cert_test.go) +### [Remove Noc Intermediate](./handler_remove_noc_ica_cert_test.go) * Remove Noc ica certificate by Subject/SKID: * Indexes to check: @@ -177,4 +178,4 @@ * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID * `ChildCertificates`: for parent * Tests: - * `TestHandler_RemoveNocX509IcaCert` + * `TestHandler_RemoveNocIntermediateCert` From 2ac5c297f9ff1078c2e227aded61660ed5d00c5e Mon Sep 17 00:00:00 2001 From: "artem.ivanov" Date: Thu, 21 Nov 2024 10:41:20 +0300 Subject: [PATCH 6/8] test Document Refactoring --- x/pki/tests/handler_add_paa_cert_test.go | 12 +- x/pki/tests/test-design.md | 457 ++++++++++++++--------- 2 files changed, 287 insertions(+), 182 deletions(-) diff --git a/x/pki/tests/handler_add_paa_cert_test.go b/x/pki/tests/handler_add_paa_cert_test.go index 655fff616..e68a07987 100644 --- a/x/pki/tests/handler_add_paa_cert_test.go +++ b/x/pki/tests/handler_add_paa_cert_test.go @@ -334,7 +334,7 @@ func TestHandler_AddX509RootCertsBySubjectKeyId(t *testing.T) { require.Equal(t, testconstants.PAACertWithSameSubjectID2Subject, approvedCertificates[0].Certs[1].Subject) } -func TestHandler_RejectX509RootCert_TwoRejectApprovalsAreNeeded(t *testing.T) { +func TestHandler_RejectAddDaRootCert(t *testing.T) { setup := Setup(t) // propose x509 root certificate by account Trustee1 @@ -387,6 +387,16 @@ func TestHandler_RejectX509RootCert_TwoRejectApprovalsAreNeeded(t *testing.T) { require.Equal(t, testconstants.Info, rejectedCertificate.Rejects[0].Info) require.Equal(t, setup.Trustee3.String(), rejectedCertificate.Rejects[1].Address) require.Equal(t, testconstants.Info, rejectedCertificate.Rejects[1].Info) + + // Check: Global + Approved DA + UniqueCertificate - missing + ensureDaRootCertificateNotExist( + t, + setup, + testconstants.RootSubject, + testconstants.RootSubjectKeyID, + testconstants.RootSubject, + testconstants.RootSerialNumber, + false) } func TestHandler_ApproveX509RootCertAndRejectX509RootCert_FromTheSameTrustee(t *testing.T) { diff --git a/x/pki/tests/test-design.md b/x/pki/tests/test-design.md index 28134dc85..6fb04fdfb 100644 --- a/x/pki/tests/test-design.md +++ b/x/pki/tests/test-design.md @@ -1,181 +1,276 @@ -### [Add DA Root](./handler_add_paa_cert_test.go) - -* Propose adding of DA root certificate: - * Indexes to check: - * Present: - * `ProposedCertificate` - * `UniqueCertificate` - * Missing: - * `RejectedCertificate` - * `All Certificates`: Subject+SKID, SKID, Subject - * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject - * Tests: - * `TestHandler_ProposeAddDaRootCert` -* Propose add approve adding of DA root certificate: - * Indexes: - * Present: - * `UniqueCertificate` - * `All Certificates`: Subject+SKID, SKID, Subject - * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject - * Missing: - * `ProposedCertificate` - * Tests: - * `TestHandler_AddDaRootCert` - * `TestHandler_AddDaRootCert_TwoThirdApprovalsNeeded` - * `TestHandler_AddDaRootCert_FourApprovalsAreNeeded_FiveTrustees` - -### [Add DA Intermediate](./handler_add_pai_cert_test.go) - -* Add DA intermediate certificate: - * Indexes to check: - * Present: - * `UniqueCertificate` - * `All Certificates`: Subject+SKID, SKID, Subject - * `DA Certificates`: Subject+SKID (approved), SKID, Subject - * `ChildCertificates`: for parent - * Missing: - * `ProposedCertificate` - * Tests: - * `TestHandler_AddDaIntermediateCert` - -### [Revoke DA Root](./handler_revoke_paa_cert_test.go) - -* Propose revocation of DA root certificate: - * Indexes to check: - * Present: - * `ProposedCertificateRevocation` - * `UniqueCertificate` - * `All Certificates`: Subject+SKID, SKID, Subject - * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject - * Missing: - * `RevokedCertificates` - * Tests: - * `TestHandler_ProposeRevokeDaRootCert` - * `TestHandler_ProposeRevokeDaRootCert_ByTrusteeNotOwner` -* Propose and approve revocation of DA root certificate: - * Indexes: - * Present: - * `RevokedCertificates` - * `UniqueCertificate` - * Missing: - * `ProposedCertificateRevocation` - * `All Certificates`: Subject+SKID, SKID, Subject - * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject - * Tests: - * `TestHandler_RevokeDaRootCert_TwoThirdApprovalsNeeded` - -### [Revoke DA Intermediate](./handler_revoke_pai_cert_test.go) - -* Revoke DA intermediate certificate: - * Indexes to check: - * Present: - * `RevokedCertificates` - * `UniqueCertificate` - * Root - stays approved - * Missing: - * `ProposedCertificateRevocation` - * `All Certificates`: Subject+SKID, SKID, Subject - * `DA Certificates`: Subject+SKID (approved), SKID, Subject - * `ChildCertificates`: for parent - * Tests: - * `TestHandler_RevokeDaIntermediateCert` - -### [Remove DA Intermediate](./handler_remove_pai_cert_test.go) - -* Remove DA intermediate certificate: - * Indexes to check: - * Present: - * - - * Missing: - * `RevokedCertificates` - * `UniqueCertificate` - * `All Certificates`: Subject+SKID, SKID, Subject - * `DA Certificates`: Subject+SKID (approved), SKID, Subject - * `ChildCertificates`: for parent - * Tests: - * `TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID` - -### [Add Noc Root](./handler_add_noc_root_cert_test.go) - -* Add Noc root certificate: - * Indexes to check: - * Present: - * `UniqueCertificate` - * `All Certificates`: Subject+SKID, SKID, Subject - * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID - * Missing: - * - - * Tests: - * `TestHandler_AddNocRootCert` - -### [Add Noc Intermediate](./handler_add_noc_ica_cert_test.go) - -* Add Noc intermediate certificate: - * Indexes to check: - * Present: - * `UniqueCertificate` - * `All Certificates`: Subject+SKID, SKID, Subject - * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID - * `ChildCertificates`: for parent - * Missing: - * - - * Tests: - * `TestHandler_AddNocIntermediateCert` - -### [Revoke Noc Root](./handler_revoke_noc_root_cert_test.go) - -* Revoke Noc root certificate: - * Indexes: - * Present: - * `RevokedCertificates` (root) - * `UniqueCertificate` - * Missing: - * `RevokedCertificates` (ica) - * `All Certificates`: Subject+SKID, SKID, Subject - * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID - * Tests: - * `TestHandler_RevokeNoRootCert` - -### [Revoke Noc Ica](./handler_revoke_noc_ica_cert_test.go) - -* Revoke Noc ica certificate: - * Indexes: - * Present: - * `RevokedCertificates` (ica) - * `UniqueCertificate` - * Missing: - * `RevokedCertificates` (root) - * `All Certificates`: Subject+SKID, SKID, Subject - * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID - * `ChildCertificates`: for parent - * Tests: - * `TestHandler_RevokeNocIntermediateCert` - -### [Remove Noc Root](./handler_remove_noc_root_cert_test.go) - -* Remove Noc root certificate by Subject/SKID: - * Indexes to check: - * Present: - * - - * Missing: - * `RevokedCertificates` (root) - * `UniqueCertificate` - * `All Certificates`: Subject+SKID, SKID, Subject - * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID - * Tests: - * `TestHandler_RemoveNocRootCert` - -### [Remove Noc Intermediate](./handler_remove_noc_ica_cert_test.go) - -* Remove Noc ica certificate by Subject/SKID: - * Indexes to check: - * Present: - * - - * Missing: - * `RevokedCertificates` (ica) - * `UniqueCertificate` - * `All Certificates`: Subject+SKID, SKID, Subject - * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID - * `ChildCertificates`: for parent - * Tests: - * `TestHandler_RemoveNocIntermediateCert` +## [Add DA Root](./handler_add_paa_cert_test.go) + +### Propose adding of DA root certificate + +Indexes to check: + +* Present: + * `ProposedCertificate` + * `UniqueCertificate` +* Missing: + * `RejectedCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject + +Test cases: + +* Positive: + * Propose adding of DA root certificate: `TestHandler_ProposeAddDaRootCert` + * Propose adding of previously rejected DA root certificate: ? + * Propose adding of DA root certificate with same Subject/SKID as existing Approved certificate but different Serial + Number: `TestHandler_ProposeAddX509RootCert_ForDifferentSerialNumber` (need to rewrite) +* Negative: + * TBD + +### Propose and approve adding of DA root certificate + +Indexes: + +* Present: + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject +* Missing: + * `ProposedCertificate` + +Test cases: + +* Positive: + * Propose add approve adding of DA root certificate: `TestHandler_AddDaRootCert`, + `TestHandler_AddDaRootCert_TwoThirdApprovalsNeeded`, + `TestHandler_AddDaRootCert_FourApprovalsAreNeeded_FiveTrustees` +* Negative: + * TBD + +### Propose and reject adding of DA root certificate + +Indexes: + +* Present: + * `RejectedCertificate` +* Missing: + * `ProposedCertificate` + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject + +Test cases: + +* Positive: + * Propose add reject adding of DA root certificate: `TestHandler_RejectAddDaRootCert`, +* Negative: + * TBD + +## [Add DA Intermediate](./handler_add_pai_cert_test.go) + +Indexes to check: + +* Present: + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), SKID, Subject + * `ChildCertificates`: for parent +* Missing: + * `ProposedCertificate` + +Test cases: + +* Positive: + * Add DA intermediate certificate: `TestHandler_AddDaIntermediateCert` +* Negative: + * TBD + +## [Revoke DA Root](./handler_revoke_paa_cert_test.go) + +### Propose revocation of DA root certificate + +Indexes to check: + +* Present: + * `ProposedCertificateRevocation` + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject +* Missing: + * `RevokedCertificates` + +Test cases: + +* Positive: + * Propose revocation of DA root certificate: `TestHandler_ProposeRevokeDaRootCert` + * Propose revocation of DA root certificate by not owner: `TestHandler_ProposeRevokeDaRootCert_ByTrusteeNotOwner` +* Negative: + * TBD + +### Propose and approve revocation of DA root certificate + +Indexes: + +* Present: + * `RevokedCertificates` + * `UniqueCertificate` +* Missing: + * `ProposedCertificateRevocation` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), Subject+SKID (root), SKID, Subject + +Test cases: + +* Positive: + * Propose and approve revocation of DA root certificate: `TestHandler_RevokeDaRootCert_TwoThirdApprovalsNeeded` +* Negative: + * TBD + +## [Revoke DA Intermediate](./handler_revoke_pai_cert_test.go) + +Indexes to check: + +* Present: + * `RevokedCertificates` + * `UniqueCertificate` + * Root - stays approved +* Missing: + * `ProposedCertificateRevocation` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), SKID, Subject + * `ChildCertificates`: for parent + +Test cases: + +* Positive: + * Revoke DA intermediate certificate: `TestHandler_RevokeDaIntermediateCert` +* Negative: + * TBD + +## [Remove DA Intermediate](./handler_remove_pai_cert_test.go) + +Indexes to check: + +* Present: + * no +* Missing: + * `RevokedCertificates` + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `DA Certificates`: Subject+SKID (approved), SKID, Subject + * `ChildCertificates`: for parent + +Test cases: + +* Positive: + * Remove DA intermediate certificate: `TestHandler_RemoveDaIntermediateCert_BySubjectAndSKID` +* Negative: + * TBD + +## [Add Noc Root](./handler_add_noc_root_cert_test.go) + +Indexes to check: + +* Present: + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID +* Missing: + * no + +Test cases: + +* Positive: + * Add Noc root certificate: `TestHandler_AddNocRootCert` +* Negative: + * TBD + +## [Add Noc Intermediate](./handler_add_noc_ica_cert_test.go) + +Indexes to check: + +* Present: + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID + * `ChildCertificates`: for parent +* Missing: + * no + +Test cases: + +* Positive: + * Add Noc intermediate certificate: `TestHandler_AddNocIntermediateCert` +* Negative: + * TBD + +## [Revoke Noc Root](./handler_revoke_noc_root_cert_test.go) + +Indexes: + +* Present: + * `RevokedCertificates` (root) + * `UniqueCertificate` +* Missing: + * `RevokedCertificates` (ica) + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID + +* Positive: + * Revoke Noc root certificate: `TestHandler_RevokeNoRootCert` +* Negative: + * TBD + +## [Revoke Noc Ica](./handler_revoke_noc_ica_cert_test.go) + +Indexes: + +* Present: + * `RevokedCertificates` (ica) + * `UniqueCertificate` +* Missing: + * `RevokedCertificates` (root) + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID + * `ChildCertificates`: for parent + +Test cases: + +* Positive: + * Revoke Noc ica certificate: `TestHandler_RevokeNocIntermediateCert` +* Negative: + * TBD + +## [Remove Noc Root](./handler_remove_noc_root_cert_test.go) + +Indexes to check: + +* Present: + * no +* Missing: + * `RevokedCertificates` (root) + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (root), VID+SKID + +Test cases: + +* Positive: + * Remove Noc root certificate by Subject/SKID: `TestHandler_RemoveNocRootCert` +* Negative: + * TBD + +## [Remove Noc Intermediate](./handler_remove_noc_ica_cert_test.go) + +Indexes to check: + +* Present: + * no +* Missing: + * `RevokedCertificates` (ica) + * `UniqueCertificate` + * `All Certificates`: Subject+SKID, SKID, Subject + * `Noc Certificates`: Subject+SKID, SKID, Subject, VID (ica), VID+SKID + * `ChildCertificates`: for parent + +Test cases: + +* Positive: + * Remove Noc ica certificate by Subject/SKID: `TestHandler_RemoveNocIntermediateCert` +* Negative: + * TBD \ No newline at end of file From 40d26b7e9be448a8b4217e160418353485f8c405 Mon Sep 17 00:00:00 2001 From: "artem.ivanov" Date: Thu, 21 Nov 2024 10:43:16 +0300 Subject: [PATCH 7/8] Test Document Refactoring + Added missing file --- .../pki/all_certificates_by_subject_key_id.ts | 99 +++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 ts-client/zigbeealliance.distributedcomplianceledger.pki/types/zigbeealliance/distributedcomplianceledger/pki/all_certificates_by_subject_key_id.ts diff --git a/ts-client/zigbeealliance.distributedcomplianceledger.pki/types/zigbeealliance/distributedcomplianceledger/pki/all_certificates_by_subject_key_id.ts b/ts-client/zigbeealliance.distributedcomplianceledger.pki/types/zigbeealliance/distributedcomplianceledger/pki/all_certificates_by_subject_key_id.ts new file mode 100644 index 000000000..abb4c3e4d --- /dev/null +++ b/ts-client/zigbeealliance.distributedcomplianceledger.pki/types/zigbeealliance/distributedcomplianceledger/pki/all_certificates_by_subject_key_id.ts @@ -0,0 +1,99 @@ +/* eslint-disable */ +import _m0 from "protobufjs/minimal"; +import { Certificate } from "./certificate"; + +export const protobufPackage = "zigbeealliance.distributedcomplianceledger.pki"; + +export interface AllCertificatesBySubjectKeyId { + subjectKeyId: string; + certs: Certificate[]; + schemaVersion: number; +} + +function createBaseAllCertificatesBySubjectKeyId(): AllCertificatesBySubjectKeyId { + return { subjectKeyId: "", certs: [], schemaVersion: 0 }; +} + +export const AllCertificatesBySubjectKeyId = { + encode(message: AllCertificatesBySubjectKeyId, writer: _m0.Writer = _m0.Writer.create()): _m0.Writer { + if (message.subjectKeyId !== "") { + writer.uint32(10).string(message.subjectKeyId); + } + for (const v of message.certs) { + Certificate.encode(v!, writer.uint32(18).fork()).ldelim(); + } + if (message.schemaVersion !== 0) { + writer.uint32(24).uint32(message.schemaVersion); + } + return writer; + }, + + decode(input: _m0.Reader | Uint8Array, length?: number): AllCertificatesBySubjectKeyId { + const reader = input instanceof _m0.Reader ? input : new _m0.Reader(input); + let end = length === undefined ? reader.len : reader.pos + length; + const message = createBaseAllCertificatesBySubjectKeyId(); + while (reader.pos < end) { + const tag = reader.uint32(); + switch (tag >>> 3) { + case 1: + message.subjectKeyId = reader.string(); + break; + case 2: + message.certs.push(Certificate.decode(reader, reader.uint32())); + break; + case 3: + message.schemaVersion = reader.uint32(); + break; + default: + reader.skipType(tag & 7); + break; + } + } + return message; + }, + + fromJSON(object: any): AllCertificatesBySubjectKeyId { + return { + subjectKeyId: isSet(object.subjectKeyId) ? String(object.subjectKeyId) : "", + certs: Array.isArray(object?.certs) ? object.certs.map((e: any) => Certificate.fromJSON(e)) : [], + schemaVersion: isSet(object.schemaVersion) ? Number(object.schemaVersion) : 0, + }; + }, + + toJSON(message: AllCertificatesBySubjectKeyId): unknown { + const obj: any = {}; + message.subjectKeyId !== undefined && (obj.subjectKeyId = message.subjectKeyId); + if (message.certs) { + obj.certs = message.certs.map((e) => e ? Certificate.toJSON(e) : undefined); + } else { + obj.certs = []; + } + message.schemaVersion !== undefined && (obj.schemaVersion = Math.round(message.schemaVersion)); + return obj; + }, + + fromPartial, I>>( + object: I, + ): AllCertificatesBySubjectKeyId { + const message = createBaseAllCertificatesBySubjectKeyId(); + message.subjectKeyId = object.subjectKeyId ?? ""; + message.certs = object.certs?.map((e) => Certificate.fromPartial(e)) || []; + message.schemaVersion = object.schemaVersion ?? 0; + return message; + }, +}; + +type Builtin = Date | Function | Uint8Array | string | number | boolean | undefined; + +export type DeepPartial = T extends Builtin ? T + : T extends Array ? Array> : T extends ReadonlyArray ? ReadonlyArray> + : T extends {} ? { [K in keyof T]?: DeepPartial } + : Partial; + +type KeysOfUnion = T extends T ? keyof T : never; +export type Exact = P extends Builtin ? P + : P & { [K in keyof P]: Exact } & { [K in Exclude>]: never }; + +function isSet(value: any): boolean { + return value !== null && value !== undefined; +} From f06d87fba95f479302aee465ef4f812b95589d56 Mon Sep 17 00:00:00 2001 From: "artem.ivanov" Date: Thu, 21 Nov 2024 16:21:41 +0300 Subject: [PATCH 8/8] Corrected helper location --- x/pki/keeper/grpc_query_revoked_certificates.go | 14 -------------- x/pki/keeper/revoked_certificates.go | 14 ++++++++++++++ 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/x/pki/keeper/grpc_query_revoked_certificates.go b/x/pki/keeper/grpc_query_revoked_certificates.go index f7ccf9e4d..0652726e9 100644 --- a/x/pki/keeper/grpc_query_revoked_certificates.go +++ b/x/pki/keeper/grpc_query_revoked_certificates.go @@ -57,17 +57,3 @@ func (k Keeper) RevokedCertificates(c context.Context, req *types.QueryGetRevoke return &types.QueryGetRevokedCertificatesResponse{RevokedCertificates: val}, nil } - -// IsRevokedCertificatePresent Check if the Revoked Certificate is present in the store. -func (k Keeper) IsRevokedCertificatePresent( - ctx sdk.Context, - subject string, - subjectKeyID string, -) bool { - store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RevokedCertificatesKeyPrefix)) - - return store.Has(types.RevokedCertificatesKey( - subject, - subjectKeyID, - )) -} diff --git a/x/pki/keeper/revoked_certificates.go b/x/pki/keeper/revoked_certificates.go index d71bbe1ee..4c82926e1 100644 --- a/x/pki/keeper/revoked_certificates.go +++ b/x/pki/keeper/revoked_certificates.go @@ -110,3 +110,17 @@ func (k msgServer) removeOrUpdateRevokedX509Cert( ) } } + +// IsRevokedCertificatePresent Check if the Revoked Certificate is present in the store. +func (k Keeper) IsRevokedCertificatePresent( + ctx sdk.Context, + subject string, + subjectKeyID string, +) bool { + store := prefix.NewStore(ctx.KVStore(k.storeKey), pkitypes.KeyPrefix(types.RevokedCertificatesKeyPrefix)) + + return store.Has(types.RevokedCertificatesKey( + subject, + subjectKeyID, + )) +}